pfsense blocking certain/some sites

Gurveer · Oct 3, 2022, 12:02 PM

@stephenw10 ya i tried safari opera edge brave but non worked the most common error is dns not found but in opnsense these websites works fine idk where problem is cz its fresh install(also tried everything from link you mentioned)

stephenw10 · Oct 3, 2022, 1:09 PM

So it's still intermittently failing to resolve?

Does it resolve reliably in Diag > DNS Lookup?

What error do you see when it does resolve?

Steve

bingo600 · Oct 3, 2022, 4:11 PM

@stephenw10
I have no issues w. those sites ...
See
https://forum.netgate.com/post/1064413

stephenw10 · Oct 3, 2022, 4:17 PM

Yup, works fine for me too.

So this looks like either something in your config or in your route.

It's probably not a firewall rule issue though so it would be better to continue here IMO.

You need to try to determine exactly what is failing.

Steve

Gurveer · Oct 3, 2022, 4:21 PM

@stephenw10 im kind of noob here also its fresh install just upgraded to plus from ce(sites aint working in both) but in opnsense(fresh install) it works idk whats problem is please help guys tho clinging to opnsense aint any issue but opnsense aint got alias bandwidth limiting

stephenw10 · Oct 3, 2022, 4:29 PM

@stephenw10 said in pfsense blocking certain/some sites:

So it's still intermittently failing to resolve?
Does it resolve reliably in Diag > DNS Lookup?
What error do you see when it does resolve but still fails to open?

Same questions. ^

bingo600 · Oct 3, 2022, 4:46 PM

@gurveer
What happens if you go directly to the website via the ip address ?

https://117.239.179.10/

You might have to accept (make an exception) on the certificate , as the cert will only match the below marked domains.

login-to-view

After allowing an exception for the website i see this

login-to-view

What do you see ???

Edit:
And just to recap.
Do you still have DNS issues ?

Or does a

nslookup portal.bsnl.in

Return the ip address : 117.255.216.68

Edit2:
Did we ever see OP's Unbound Config screenshots and the System --> General setup "DNS section" setup screenshots ??

/Bingo

stephenw10 · Oct 3, 2022, 4:48 PM

Mmm, this still feels like a DNS problem until we can prove conclusively it's not!

Gurveer · Oct 3, 2022, 5:23 PM

@bingo600 like you said it opened after using ip https://117.239.179.10/ instead portal2.bsnl.in now what to do?

Gurveer · Oct 3, 2022, 5:27 PM

@stephenw10 its resolves in diag>dns lookup but aint opening in browser when using portal2.bsnl.in and this is the error i get on browser "This site can’t be reached portal.bsnl.in’s DNS address could not be found. Diagnosing the problem.
DNS_PROBE_POSSIBLE"

Gurveer · Oct 3, 2022, 5:45 PM

@bingo600 where to find unbound configurations and screenshot of dns setup is here!login-to-view

viragomann · Oct 3, 2022, 5:52 PM

@gurveer
This is the DNS server used by pfSense itself.

The DNS resolver requests root DNS servers by default. But you can set it into the forwarder mode, so that it forward queries to even the DNS server stated in general setup.
To enable forwarding mode go to Services > DNS Resolver and check "DNS Query Forwarding".

Ensure that you browser uses pfSense for DNS resolution, not some DoH servers.

stephenw10 · Oct 3, 2022, 5:55 PM

@gurveer said in pfsense blocking certain/some sites:

its resolves in diag>dns lookup

What is the actual result of that test? All configured DNS servers respond? In a timely manner?

If pfSense can resolve that (on all it's comfigured servers) and your client cannot then the only conclusion is that your client is not using pfSense for DNS.

Steve

Gurveer · Oct 3, 2022, 6:01 PM

@viragomann thanks it worked (tho disabled dns resolver )btw what does this dns forwarding means ?

Gurveer · Oct 3, 2022, 6:06 PM

@stephenw10 @bingo600 @rcoleman-netgate @viragomann thanks alot you guys for helping and bearing me so long

viragomann · Oct 3, 2022, 6:07 PM

@gurveer
I tried to explain above in a view words.
By default the DNS Resolver used root DNS servers (https://www.iana.org/domains/root/servers) to resolve DNS requests.

However, in forwarding mode it sends request to the servers you've stated in general setup, to 1.1.1.1 in your case.

There should be reason for the root servers not working. Maybe restrictions in your country, I don't know.

bingo600 · Oct 3, 2022, 6:12 PM

@gurveer

On the screenshot above this is clearly in error

login-to-view

linux:~$ host 1.1.1.1
1.1.1.1.in-addr.arpa domain name pointer one.one.one.one.

linux:~$ host cloudflare-dns.com
Host cloudflare-dns.com not found: 3(NXDOMAIN)

And as suggested
~~Disable forwarding~~ , Remote DNS servers and let pfSense resolve directly.

stephenw10 · Oct 3, 2022, 6:10 PM

@gurveer said in pfsense blocking certain/some sites:

it worked (tho disabled dns resolver )

You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)?

If so that shouldn't be required and probably indicates some underlying issue.

Steve

stephenw10 · Oct 3, 2022, 6:12 PM

@bingo600 said in pfsense blocking certain/some sites:

On the screenshot above this is clearly in error

Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site

Gurveer · Oct 3, 2022, 6:21 PM

@bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)