DNS query refused for some devices

Follow

futon_ramp

• January 30, 2025 13:33
• Edited

Had an issue on a couple of devices (Windows 10, Linux) where FWG was not resolving DNS queries for a couple of clients.

All others worked fine. Seems “resolved” now after a reboot (ha, see what i did there, “resolved”!). But just wondering how best to troubleshoot next time - either dns logs or looking at the dns config?

Setup:

• Using Firewalla as DNS server (dns server IP provided by DHCP)
• Not using DoH or Unbound Adblock Strict (but excluded the 2 devices that had the issue)
• DNS Booster on (but excluded the 2 devices that had the issue)

On the devices, there was no Internet connectivity, etc. Doing a dig/nslookup for a normal query would return ‘Query Refused’ from the FWG. No idea why FWG was refusing queries!

0

• 

  Firewalla

  • January 30, 2025 16:37

  What is the domain address that you are doing the query on? 

  0

  Comment actions Permalink
• 

  futon_ramp

  • January 30, 2025 17:53

  Tested with a couple of generic ones which were being answered for other devices: bbc.com, google.com, etc

  0

  Comment actions Permalink
• 

  Firewalla

  • January 30, 2025 21:21

  In your PC/Linux, are you running any antivirus software? if you ping say the gateway address, do you get any response? What is your LAN and WAN DNS set to? 

  0

  Comment actions Permalink
• 

  futon_ramp

  • March 31, 2025 09:07
  • Edited

  Still got the issue on a Windows 10 pc. There is no 3rd party AV, just standard Windows protection.

  This client is DHCP, picking up gw/dns server IPs from FWG - and its a standard setup with clients using FWG for dns.

  From Win10, if I ping FWG IP (default gw) I get a reply. 

  If I ping an fqdn, it doesn't resolve:

  >ping google.com.
  Ping request could not find host google.com.. Please check the name and try again.

  And nslookup - Query refused still:

  >nslookup google.com
  Server:  UnKnown
  Address:  192.168.11.1
  
  *** UnKnown can't find google.com: Query refused

  If I manually change the DNS server on the Win10 adapter properties (eg to 9.9.9.9), it works

  >nslookup google.com
  Server:  dns9.quad9.net
  Address:  9.9.9.9
  
  Non-authoritative answer:
  Name:    google.com
  Addresses:  2a00:1450:4009:81f::200e
            142.250.187.206

  On FWG, the Primary WAN DNS servers were set to the ISP DNS (have now changed this to Quad9)

  On the 2ndy WAN it was set to cloudflare .

  But, pretty much all other clients on the local network are working fine without issues. It seems the client that I have excluded from Ad Block/DNS Booster is the one getting DNS queries refused by FWG??

  0

  Comment actions Permalink
• 

  Rom

  • March 31, 2025 08:57

  How did you resolve this? I am experiencing a similar problem.

  0

  Comment actions Permalink
• 

  futon_ramp

  • March 31, 2025 09:07

  Hi - never fixed it. The problem client is still configured to use external DNS servers, not the local FWG for DNS (unlike all other clients which do use FQG for DNS).

  Will take another look at some point, for for now ... no solution unfortunately. :(

  0

  Comment actions Permalink
• 

  Firewalla

  • March 31, 2025 15:22

  futon_ramp what DNS you configured on the LAN? are you using any VPN? Are you turning on DoH or Unbound? 

  0

  Comment actions Permalink
• 

  futon_ramp

  • April 02, 2025 14:37

  Firewalla Answers below :)

  
  what DNS you configured on the LAN? The Primary DNS server on the LAN is the FWG IP

  are you using any VPN? No, currently no clients are using a VPN client (either via FWG or locally)

  Are you turning on DoH or Unbound? No. DoH, Unbound are Off. DNS Booster is also OFF for the client with the problem

  0

  Comment actions Permalink
• 

  Firewalla

  • April 02, 2025 15:39

  You shouldn't turn off booster, it is the DNS server that does the forwarding. Anyway, I have created a ticket for you. 

  0

  Comment actions Permalink

Please sign in to leave a comment.