website security problems

stephenw10

@jc1976 said in website security problems:

I have cloudflare setup for dns over tls

If you are doing that then you're sending DNS queries to them rather than resolving locally. Assuming it's setup correctly.

What error do you see in Edge? Or any other browser on any other client?

Steve

jc1976

@stephenw10 it's not even the browsers, it's my software.

i have an old crappy cisco rv042 from long ago as a backup.
right now, i have that plugged in because aside from websites not loading, even my trading apps are hanging.

i have EVERY service/package shut down so there shouldn't be anything blocking anything, other than the default ruleset that blocks all incoming connections.

I'm going to have to reinstall it all from scratch when i get a chance.
really aggravating.

stephenw10

Backup your config, restore to defaults, re-test. It's easy to restore the config if it doesn't help.

jc1976

@stephenw10 yup!

i'm happy to say that my GF left for the weekend so performing a ground-up reload of pfsense is what i'll be doing tonight after i get home from work.

I'll keep you posted.

Thanks again for all your input!

jc1976

@jc1976
looks like i'm back in business..

gparted the drive and reloaded pfsense from scratch. I've got the base config down, only modifications done are to dns over tls with cloudflare..

so far, so good.. very snappy and the throughput is where it's supposed to be..

did a backup.. not sure if i wanna bother adding packages yet.. it's nice to have it back up and running. just reeeaaaaally despise the ads and marketing from my devices..

nimrod

@jc1976

I dont see any reason why you should not install pfBlockerNG.

jc1976

@nimrod well, i started off with installing squid..

i ended up canning squid/clamav because even in it's basic installation it was causing issues.

for good measure i also rebuilt the tcpip stack and winsock in my windows 10 pro install..

i spent a while working through basic rule creation to make sure they wouldn't interfere with my apps, that way i know if i have any issues when i install suricata and pfblocker i'll have a better idea of who's causing problems, should any arise.

What are peoples experience with the feodo, c2c(?), sslblacklist options that are part of the suricata install?

do they cause a lotta false positives?

johnpoz

@jc1976 said in website security problems:

i ended up canning squid/clamav

Ah you were running through a proxy - that for sure could cause speed issue.. Because your not just routing traffic your processing all of it as the proxy, etc.

pfblocker shouldn't be able to cause slowdown - since its just doing dns.. and filtering what dns you want to filter, it has nothing to do with the actual processing of the traffic through pfsense.

jc1976

@johnpoz nah not through a proxy.

i am SO FED UP WITH THIS!! it just doesn't work!

i thought it was my pc, so i switch... same thing.. i'm running pfsense stock out of the box, only change is that i have dns over tls enabled with cloudflare..

just got a gl.inet that i was going to set up for my folks.. maybe i'll take that.. i dunno.. tired of dealing with this..

sorry for the venting

johnpoz

@jc1976 said in website security problems:

i have dns over tls enabled with cloudflare..

And do your security issues go away if you just let pfsense do dns? I have been using pfsense for 10+ years and there is really nothing in pfsense that would do this..

As I went over going to amazon.com without a www gets you a redirection 301 that tells your browser to go to www.amazon.com etc.c.

Pfsense has ZERO to do with that - ZERO!! There is nothing other than IPS or a proxy that would have anything to do with any of that.. Are you trying to go through cloudflare proxy to get to these sites?

stephenw10

@stephenw10 said in website security problems:

Mmm, I could certainly believe DNS shenanigans.

Try just resolving locally, stop sending your queries to Cloudflare.

Yup.

bPsdTZpW

@stephenw10 said in website security problems:

@stephenw10 said in website security problems:

Mmm, I could certainly believe DNS shenanigans.

Try just resolving locally, stop sending your queries to Cloudflare.

Yup.

Yup.

jc1976

@bpsdtzpw
ok folks, i think i've figured it out...

firstly, i apologize profusely for venting.. I was really pushed to my limits with this thing.. i love pfsense and will always support it.

unfortunately, A) i don't know how to get in touch with an actual "engineer" at comcast/xfinity, and B) i dunno if that would even matter...

if you think i'm a conspiracy theorist, well....?? check this out.

I believe comcast is blocking dns over tls on alternate dns providers.

i don't have any issues using the ip of other providers, however once i enable DoT (out port 853) all the problems start happening. I tried quad9, and at first all things sprang back to life.. a hour later it got wonky again. far better than with cloudflare, but still isn't working properly..
All web browsing works properly if i enable DoH in my browser. My problem is my apps. I have a few big packages that i use for trading futures and those are running into problems. once i disable DoT the issues abate...

Some might think "well, just stop using DoT or just use Comcasts resolvers... My response is: i pay for this connection.. i should be able to use it however i want, PERIOD! Privacy is a RIGHT! and if we want to use another dns provider, we have THE RIGHT to do so and our isp does NOT have the right to stop us!

johnpoz

@jc1976 said in website security problems:

I believe comcast is blocking dns over tls on alternate dns providers.

That is a pretty big claim.. And your dot client should complain that the cert of the server its talking to does validate..

Blocking 853 would be one thing - but seems your saying its intercepting and sending you wrong info? A simple way to validate dot is with the kdig util

example here is to google dns that support dot

root@NewUC:/tmp# kdig -d @8.8.8.8 +tls-ca +tls-host=dns.google.com www.pfsense.org
;; DEBUG: Querying for owner(www.pfsense.org.), class(1), type(1), server(8.8.8.8), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dns.google
;; DEBUG:      SHA-256 PIN: 65dUhctCga6DL7Xr0hDFi+V8V/3asGMbMO7Hg3MKhTY=
;; DEBUG:  #2, C=US,O=Google Trust Services LLC,CN=GTS CA 1C3
;; DEBUG:      SHA-256 PIN: zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w=
;; DEBUG:  #3, C=US,O=Google Trust Services LLC,CN=GTS Root R1
;; DEBUG:      SHA-256 PIN: hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13175
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 404 B

;; QUESTION SECTION:
;; www.pfsense.org.             IN      A

;; ANSWER SECTION:
www.pfsense.org.        300     IN      A       208.123.73.69

;; Received 468 B
;; Time 2021-11-22 13:23:39 CST
;; From 8.8.8.8@853(TCP) in 64.3 ms
root@NewUC:/tmp# 

Not a fan of dot or doh - but I am with you that ISP shouldn't be doing anything with my traffic other than routing it.. I normally block dot and doh locally so that none of my devices attempt to use it.. But that is my call, not the isp call, etc.

stephenw10

Mmm, exactly that^.

I could believe something is blocking port 853 entirely but not that it's intermittently blocked or only for some types of queries. Because, yeah, the latter implies something is intercepting the TLS and MITMing it.
It seems more likely that Cloudflares DoT resolvers respond differently in some way. Though I'm not sure why that would be.

I personally have DoT configured to Google DNS just to test that it works and have never seen an issue.

Steve

johnpoz

Here is doing such a test to cloudflare

root@NewUC:/tmp# kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  www.pfsense.org
;; DEBUG: Querying for owner(www.pfsense.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54600
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 404 B

;; QUESTION SECTION:
;; www.pfsense.org.             IN      A

;; ANSWER SECTION:
www.pfsense.org.        300     IN      A       208.123.73.69

;; Received 468 B
;; Time 2021-11-22 14:48:04 CST
;; From 1.1.1.1@853(TCP) in 40.1 ms
root@NewUC:/tmp# 

stephenw10

Indeed. And testing pfsense.org returns exactly the same thing. As expected.

johnpoz

If the isp was actually intercepting dot that would be a HUGE claim.. I would also be concerned that the dot client would accept it - unless some serious shenanigans were going on with the cert being by a trusted ca..

Just out an block - ok, isp has the right to block traffic I guess, I would be looking for a new isp, etc..

bPsdTZpW

I wonder whether the OP has an infected host?

stephenw10

Some ARP poisoning or something?

Seems like it affects multiple hosts on the network so it would have to be something pretty weird.

Do you have anything else on your network that claims to be a security appliance @jc1976?

There are those single interface devices you can get the claim to filter all the bad stuff that work exactly like that. Just terrible!

Steve