The symptom sounds sort of similar to the issue in this post, but I don’t have pi hole.
I have a pfSense firewall/router/network appliance talking to an AT&T lightspeed gateway running in passthrough mode. I’m using the pfSense DNS Resolver in forwarding mode, the AT&T Gateway is the upstream resolver, address of which provided to pfSense by DHCP.
Everything has been working fine for years.
For a few weeks now I’ve had this intermittent problem trying to launch the plex web app – sometimes it can’t resolve app.plex.tv. On Windows or on Linux, doing NSLOOKUP would return nothing. If I log in to the pfSense box, go to diagnostics, and do NSLOOKUP from there, it takes a veeeerrrryyy llloooooonnnnngggggg tiiiimmmmeeeee but I finally get an answer. This doesn’t seem to add an address to the DNS Resolver cache, because doing that action doesn’t mean I’ll be able to launch plex web.
I don’t know enough about DNS to make much sense of the logs on pfSense but I can see in the Plex Media Server logs where it tries to find something in the plex.tv domain and fails.
Eventually name resolution happens quick enough again that everybody’s happy again for awhile. Might be a few minutes, might be a few hours, might be a couple days (at least as far as I know).
I don’t seem to have problems with any other domain. Maybe the top-level nameserver for .tv is having trouble? I have no idea what to think.
Is anyone else noticing this?
Does anyone know enough about pfSense to give me any hints?
There was very recently an issue with the DNS server for the plex.direct domain. It failed to flag its responses as “authoritative”, which caused some DNS forwarders to disregard them.
But this should be solved now.
I’d try to use a known “good” DNS server as master, like 8.8.8.8 or 1.1.1.1 instead of the one of your ISP.
I’d already done the server:private-domain:"plex.direct" thing, but in a cookbook kinda way – I just followed instructions.
I’ve turned off DNSSEC and so far it seems to be working reliably (but it’s early yet). I’ll have to look into using another DNS, although I always figured AT&T’s network engineers would know more about making it work than I ever will. That might be too naive.
In no way am I intending to be conspiratorial, but just keep in mind that AT&T can infer a great deal about your browsing habits by allowing them to handle your DNS queries.
It’s well-known they collect and sell that data – the conspiratorial thinking is they sort of hijack port 53 no matter what and monitor it even if they’re doing passthrough. It’s thought this is ONE reason they require you to use their gateway box instead of connecting directly to the ONT (fiber - ethernet bridge). In theory there’s no reason you couldn’t.
But there are so many ways to infer my browsing habits the only possible solution is to do absolutely everything through a VPN, and even then it probably wouldn’t work. This just makes it easier for AT&T to respond to an FBI subpoena. The CIA, of course, don’t need no stinkin’ subpoenas.
That’s a great reason to use a privacy-minded DNS provider via DNS over HTTPS or DNS over TLS (the latter of which pfSense supports). In either case the requests/responses are encrypted, so at least one means of tracking is eliminated.
At any rate, this is nothing to do with your original request (except that third-party DNS providers generally do not employ DNS rebinding checks).
