pfsense blocking certain/some sites
-
@gurveer said in pfsense blocking certain/some sites:
its resolves in diag>dns lookup
What is the actual result of that test? All configured DNS servers respond? In a timely manner?
If pfSense can resolve that (on all it's comfigured servers) and your client cannot then the only conclusion is that your client is not using pfSense for DNS.
Steve
-
@viragomann thanks it worked (tho disabled dns resolver )btw what does this dns forwarding means ?
-
@stephenw10 @bingo600 @rcoleman-netgate @viragomann thanks alot you guys for helping and bearing me so long
-
@gurveer
I tried to explain above in a view words.
By default the DNS Resolver used root DNS servers (https://www.iana.org/domains/root/servers) to resolve DNS requests.However, in forwarding mode it sends request to the servers you've stated in general setup, to 1.1.1.1 in your case.
There should be reason for the root servers not working. Maybe restrictions in your country, I don't know.
-
On the screenshot above this is clearly in error
linux:~$ host 1.1.1.1 1.1.1.1.in-addr.arpa domain name pointer one.one.one.one. linux:~$ host cloudflare-dns.com Host cloudflare-dns.com not found: 3(NXDOMAIN)
And as suggested
Disable forwarding, Remote DNS servers and let pfSense resolve directly. -
@gurveer said in pfsense blocking certain/some sites:
it worked (tho disabled dns resolver )
You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)?
If so that shouldn't be required and probably indicates some underlying issue.
Steve
-
@bingo600 said in pfsense blocking certain/some sites:
On the screenshot above this is clearly in error
Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site
-
@bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)
-
@gurveer
Remove the 1.1.1.1 too@stephenw10
1: I'd expect the "bad domain" to affect all DOT lookups.2:
As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.@Gurveer
The DNS Resolver is also called "Unbound ... The program name"
The settings are here Services --> DNS ResolverWhat does your config look like there ??
All of it ?
-
@bingo600 still same , stopped resolving portal.bsnl.in and portal.bsnl.in but opens using https://117.239.179.10/
-
@gurveer
Read my "above post" again , i asked something else.What is the ip address of the PC , that is not resolving ?
Is it located within your Lan ip range ? -
@bingo600 it ditto same as yours
-
@gurveer
But there is MUCH more belowShow it all
-
@bingo600 ya its in lan ip range and non of device opens this site
-
@gurveer
If you don't show the Full Resolver config, we have no way of helping you further.See : https://forum.netgate.com/post/1064462
And in Status --> Services is unbound running (the Green Dot)
-
That. Also please show the full output of Diag > DNS Lookup against one of the failing sites.
That test checks all configured DNS servers, so Unbound resolving locally plus any you added in Sys > Gen. Setup plus anything passed by DHCP. But clients only use Unbound (by default).
So if Diag > Lookup succeeds but clients cannot resolve it's probably because Unbound is failing but some other server is allowing pfSense to resolve that. The full output would show it.Steve
-
@bingo600 ya its in lan ip range and non of device opens this site also if its fine by you i have no problem giving remote access !
-
@stephenw10 here it is
-
Is unbound running ?
See here
https://forum.netgate.com/post/1064464Btw: Your Unbound config looks fine to me
-