pfsense blocking certain/some sites
-
@gurveer
I tried to explain above in a view words.
By default the DNS Resolver used root DNS servers (https://www.iana.org/domains/root/servers) to resolve DNS requests.However, in forwarding mode it sends request to the servers you've stated in general setup, to 1.1.1.1 in your case.
There should be reason for the root servers not working. Maybe restrictions in your country, I don't know.
-
On the screenshot above this is clearly in error
linux:~$ host 1.1.1.1 1.1.1.1.in-addr.arpa domain name pointer one.one.one.one. linux:~$ host cloudflare-dns.com Host cloudflare-dns.com not found: 3(NXDOMAIN)And as suggested
Disable forwarding, Remote DNS servers and let pfSense resolve directly.If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@gurveer said in pfsense blocking certain/some sites:
it worked (tho disabled dns resolver )
You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)?
If so that shouldn't be required and probably indicates some underlying issue.
Steve
-
@bingo600 said in pfsense blocking certain/some sites:
On the screenshot above this is clearly in error
Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site
-
@bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)
-
@gurveer
Remove the 1.1.1.1 too@stephenw10
1: I'd expect the "bad domain" to affect all DOT lookups.2:
As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.@Gurveer
The DNS Resolver is also called "Unbound ... The program name"
The settings are here Services --> DNS Resolver
What does your config look like there ??
All of it ?
-
@bingo600 still same , stopped resolving portal.bsnl.in and portal.bsnl.in but opens using https://117.239.179.10/
-
@gurveer
Read my "above post" again , i asked something else.What is the ip address of the PC , that is not resolving ?
Is it located within your Lan ip range ? -
@bingo600 it ditto same as yours
-
@gurveer
But there is MUCH more belowShow it all
-
@bingo600 ya its in lan ip range and non of device opens this site
-
@gurveer
If you don't show the Full Resolver config, we have no way of helping you further.See : https://forum.netgate.com/post/1064462
And in Status --> Services is unbound running (the Green Dot)
-
That. Also please show the full output of Diag > DNS Lookup against one of the failing sites.
That test checks all configured DNS servers, so Unbound resolving locally plus any you added in Sys > Gen. Setup plus anything passed by DHCP. But clients only use Unbound (by default).
So if Diag > Lookup succeeds but clients cannot resolve it's probably because Unbound is failing but some other server is allowing pfSense to resolve that. The full output would show it.Steve
-
@bingo600 ya its in lan ip range and non of device opens this site also if its fine by you i have no problem giving remote access !
-
@stephenw10 here it is
-
Is unbound running ?
See here
https://forum.netgate.com/post/1064464Btw: Your Unbound config looks fine to me
-
-
@gurveer
Now things get "hairy" .....I see no reason why unbound shouldn't resolve that : portal.bsnl.in
In diag --> Dns lookup , can you resolve ie. google.com or cnn.com or bbc.co.uk
-
@bingo600 all three got resolved
-
Hmm, curious. I have one VM here that fails to resolve those. If I turn up the logging to level to 3 I see:
Oct 3 20:59:53 unbound 40999 [40999:1] info: validator operate: query portal2.bsnl.in. A IN Oct 3 20:59:53 unbound 40999 [40999:1] debug: cache memory msg=36309 rrset=50168 infra=10801 val=35656 Oct 3 20:59:53 unbound 40999 [40999:0] error: read (in tcp s): Connection refused for 218.248.240.178 port 53 Oct 3 20:59:53 unbound 40999 [40999:0] debug: outnettcp got tcp error -1But other VMs configured identically and using the same public IP work fine..
