pfsense blocking certain/some sites

stephenw10

@bingo600 said in pfsense blocking certain/some sites:

On the screenshot above this is clearly in error

Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site

Gurveer

@bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)

bingo600

@gurveer
Remove the 1.1.1.1 too

@stephenw10
1: I'd expect the "bad domain" to affect all DOT lookups.

2:
As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.

@Gurveer
The DNS Resolver is also called "Unbound ... The program name"
The settings are here Services --> DNS Resolver

What does your config look like there ??

All of it ?

Gurveer

@bingo600 still same , stopped resolving portal.bsnl.in and portal.bsnl.in but opens using https://117.239.179.10/

bingo600

@gurveer
Read my "above post" again , i asked something else.

What is the ip address of the PC , that is not resolving ?
Is it located within your Lan ip range ?

Gurveer

@bingo600 it ditto same as yours

bingo600

@gurveer
But there is MUCH more below

Show it all

Gurveer

@bingo600 ya its in lan ip range and non of device opens this site

bingo600

@gurveer
If you don't show the Full Resolver config, we have no way of helping you further.

See : https://forum.netgate.com/post/1064462

And in Status --> Services is unbound running (the Green Dot)

stephenw10

That. Also please show the full output of Diag > DNS Lookup against one of the failing sites.

That test checks all configured DNS servers, so Unbound resolving locally plus any you added in Sys > Gen. Setup plus anything passed by DHCP. But clients only use Unbound (by default).
So if Diag > Lookup succeeds but clients cannot resolve it's probably because Unbound is failing but some other server is allowing pfSense to resolve that. The full output would show it.

Steve

Gurveer

@bingo600 ya its in lan ip range and non of device opens this site also if its fine by you i have no problem giving remote access !
Screenshot 2022-10-04 at 12.09.25 AM.png Screenshot 2022-10-04 at 12.10.05 AM.png Screenshot 2022-10-04 at 12.15.41 AM.png Screenshot 2022-10-04 at 12.16.19 AM.png Screenshot 2022-10-04 at 12.17.41 AM.png

Gurveer

@stephenw10 here it is Screenshot 2022-10-04 at 12.32.32 AM.png

bingo600

@gurveer

Is unbound running ?
See here
https://forum.netgate.com/post/1064464

Btw: Your Unbound config looks fine to me

Gurveer

@bingo600 said in pfsense blocking certain/some sites:

https://forum.netgate.com/post/1064464

yup Screenshot 2022-10-04 at 12.36.50 AM.png

bingo600

@gurveer
Now things get "hairy" .....

I see no reason why unbound shouldn't resolve that : portal.bsnl.in

In diag --> Dns lookup , can you resolve ie. google.com or cnn.com or bbc.co.uk

Gurveer

@bingo600 all three got resolved

stephenw10

Hmm, curious. I have one VM here that fails to resolve those. If I turn up the logging to level to 3 I see:

Oct 3 20:59:53 	unbound 	40999 	[40999:1] info: validator operate: query portal2.bsnl.in. A IN
Oct 3 20:59:53 	unbound 	40999 	[40999:1] debug: cache memory msg=36309 rrset=50168 infra=10801 val=35656
Oct 3 20:59:53 	unbound 	40999 	[40999:0] error: read (in tcp s): Connection refused for 218.248.240.178 port 53
Oct 3 20:59:53 	unbound 	40999 	[40999:0] debug: outnettcp got tcp error -1

But other VMs configured identically and using the same public IP work fine..

bingo600

@stephenw10

Weird ....

I can resolve via that DNS server from my DNS linux

$ host 218.248.240.178
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gvmc.gov.in.
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gstkarnataka.gov.in.
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.eofficeharyana.gov.in.

$ dig portal2.bsnl.in @218.248.240.178

; <<>> DiG 9.10.3-P4-Debian <<>> portal2.bsnl.in @218.248.240.178
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57455
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;portal2.bsnl.in.		IN	A

;; ANSWER SECTION:
portal2.bsnl.in.	10800	IN	A	117.239.179.10

;; AUTHORITY SECTION:
bsnl.in.		10800	IN	NS	ns11.bsnl.in.
bsnl.in.		10800	IN	NS	ns12.bsnl.in.

;; ADDITIONAL SECTION:
ns11.bsnl.in.		10800	IN	A	218.248.240.178
ns12.bsnl.in.		10800	IN	A	218.248.240.209

;; Query time: 301 msec
;; SERVER: 218.248.240.178#53(218.248.240.178)
;; WHEN: Mon Oct 03 22:23:52 CEST 2022
;; MSG SIZE  rcvd: 130

Stephen , what happens if you switch to the Forwarder , can you then resolve ? , and if switching back , you can't again ??

Then you have something like OP

stephenw10

Mmm, it's just this one VM.

Still does it with DNSSec disabled...

johnpoz

@stephenw10 what I can tell what is wrong with their ns, is they do not answer via tcp

So normal via udp works fine.

So like to see a +trace from pfsense

; <<>> DiG 9.16.26 <<>> portal.bsnl.in +trace
;; global options: +cmd
.                       45761   IN      NS      j.root-servers.net.
.                       45761   IN      NS      k.root-servers.net.
.                       45761   IN      NS      l.root-servers.net.
.                       45761   IN      NS      m.root-servers.net.
.                       45761   IN      NS      a.root-servers.net.
.                       45761   IN      NS      b.root-servers.net.
.                       45761   IN      NS      c.root-servers.net.
.                       45761   IN      NS      d.root-servers.net.
.                       45761   IN      NS      e.root-servers.net.
.                       45761   IN      NS      f.root-servers.net.
.                       45761   IN      NS      g.root-servers.net.
.                       45761   IN      NS      h.root-servers.net.
.                       45761   IN      NS      i.root-servers.net.
.                       45761   IN      RRSIG   NS 8 0 518400 20221016050000 20221003040000 18733 . YIXaa/EBSQVICUNPRhTRK21PwpQy6pk6zgrYeokFCUG6pPKmfn+7gOiq k12OWXOTYRguXIWv0YauJlYZlRJFOucvxIWI2hE8oeppc5bCDBXUwZ2V 6GDOEYnCkk/8Bh7QgaAGpBYeNbuPj2TD1bDX1dHKOZ/PIOoXeSxAOuAi xkZzEi4/zXqDWmeDA7CVq74qNvVgfkVg0NXDxqFtmJH/cXwvdGsWbeaZ gu95le0xD12RbYGoxfzM06DT4YLJMPJ4evH26D2xnUolBqZ9tbqjAxcv AdnAllbVw5AcuaYQMCqn3qy/x+M4rJKmExFughKCvnZWXxTlGcZDRDt1 0VFw0g==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

in.                     172800  IN      NS      ns1.registry.in.
in.                     172800  IN      NS      ns2.registry.in.
in.                     172800  IN      NS      ns3.registry.in.
in.                     172800  IN      NS      ns4.registry.in.
in.                     172800  IN      NS      ns5.registry.in.
in.                     172800  IN      NS      ns6.registry.in.
in.                     86400   IN      DS      54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9
in.                     86400   IN      DS      54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C
in.                     86400   IN      RRSIG   DS 8 1 86400 20221016170000 20221003160000 18733 . MH2IwInVoatMPeKOq084SdgHwlSAZxwSKLePZKNixFq/k5B9sjPwTPg2 sD9QebL9yV/nXQQkwouIpWrIk825ZZYSu+jqfPqX+orjMzlD1Md1EVZc TqWf+JqTTmMzGGnocx7ZswBFhTAXn5/g3enPXZqUyyvaxTVJ3QpWe7TQ ZAvK0hVSWRqcYaCJTyblVRB7X64DgiTuU5JBRVSVqcsqGtN2YIPZETlQ Y2deLx2TsaiDhF1YMKUfGVrji9/N3wGn90FGKNXPEOuLxmf4n/tshoaK 0CzachAt5++rERjalNoZjKCBmFF1o2eRi8DCD5Uqi4+qyeHvRTtJrr6d 48Txwg==
;; Received 795 bytes from 198.97.190.53#53(h.root-servers.net) in 58 ms

bsnl.in.                86400   IN      NS      ns11.bsnl.in.
bsnl.in.                86400   IN      NS      ns12.bsnl.in.
u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN NSEC3 1 1 0 - U7T80A19T7AQCC0P8AMD1AC4SCNB2DG5 NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024156 20220929023509 65169 in. OhLJIY+hNU2Iba31vmFAZmg83NwqnSy5kTbfU8cZYFG663HzbGHhdv/K GuGaRoYkqyEPpWfBF/VbAKHWi6F9fIGPR2+P2rKgD2eCzcuttKmq9bhX 4uHehoh+Qr06klPyF+TGp/iQvxyKJIMX0c/AFM2bbG4y/D7qO/5j0cK8 qheSA/XC8aOj/yRrY23Q84506B9plijHJfG3M+/T5qBjCA==
cpcirneso3q726baurorn492qjc704f7.in. 1800 IN NSEC3 1 1 0 - CPDC4IU515A25D00VQOT9RS8DOGC39NO NS DS RRSIG
cpcirneso3q726baurorn492qjc704f7.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024559 20220929023325 65169 in. d+tE+NTWj1j/jbF2vO1vjtwPcxNDdJFFk2VWc3ijj6q/utOfqL/wtZUv tZd6ofRu+M0SHvxGzjJcZpiqMf9HaMOkGKLXfXO1sohlJLqNuQgs4RTr 9VjO1qnfnXZNkSP2aDP9KdnKcwcHHQv4cR6J5hPi7XOaURTIM3kI5YkC yq4rdXQIxtkWC0D+aOUP+mpHrm4+27qbSbYoqOCDDRE9+Q==
;; Received 724 bytes from 156.154.100.20#53(ns5.registry.in) in 58 ms

portal.bsnl.in.         10800   IN      A       117.255.216.68
portal.bsnl.in.         10800   IN      RRSIG   A 7 3 10800 20221010221608 20221003211608 51428 bsnl.in. Vlc2csKOp69KSqiKUQl6iIAzgycNTMj1Oj+84dyYtjatWlBHMvtjkUMK XjhfLoI4RVZkaZgd20KNKddNKwId8Qs+kOH0fYSS4jAkEB+llzt5pOdN 8jYweG5dLFjgZmH67oUDLEjemO7PQiWduPOB7tXU5NukoKqjpD1HtL7m 8qI=
bsnl.in.                10800   IN      NS      ns12.bsnl.in.
bsnl.in.                10800   IN      NS      ns11.bsnl.in.
bsnl.in.                10800   IN      RRSIG   NS 7 2 10800 20221010221602 20221003211602 51428 bsnl.in. XGHAXve5mEGouSP3gISD3XJp3lQnQsk+qSdzm2UHsOlEcvNj0kyNwRl/ 1etqIKNnzByXhh3spngJdOlyMvsrlZfodsviJ/6v3VzlmJoawlUZuLov UddqQmq15Xnj7S3Hi5xPq8rTXIAXvqGSpjUifZDCFlUcmY89iTwpI9Sb FAo=
;; Received 797 bytes from 218.248.240.209#53(ns12.bsnl.in) in 334 ms

But notice when you try it via tcp


[22.05-RELEASE][admin@sg4860.local.lan]/root: dig portal.bsnl.in +trace +tcp

; <<>> DiG 9.16.26 <<>> portal.bsnl.in +trace +tcp
;; global options: +cmd
.                       45742   IN      NS      l.root-servers.net.
.                       45742   IN      NS      m.root-servers.net.
.                       45742   IN      NS      a.root-servers.net.
.                       45742   IN      NS      b.root-servers.net.
.                       45742   IN      NS      c.root-servers.net.
.                       45742   IN      NS      d.root-servers.net.
.                       45742   IN      NS      e.root-servers.net.
.                       45742   IN      NS      f.root-servers.net.
.                       45742   IN      NS      g.root-servers.net.
.                       45742   IN      NS      h.root-servers.net.
.                       45742   IN      NS      i.root-servers.net.
.                       45742   IN      NS      j.root-servers.net.
.                       45742   IN      NS      k.root-servers.net.
.                       45742   IN      RRSIG   NS 8 0 518400 20221016050000 20221003040000 18733 . YIXaa/EBSQVICUNPRhTRK21PwpQy6pk6zgrYeokFCUG6pPKmfn+7gOiq k12OWXOTYRguXIWv0YauJlYZlRJFOucvxIWI2hE8oeppc5bCDBXUwZ2V 6GDOEYnCkk/8Bh7QgaAGpBYeNbuPj2TD1bDX1dHKOZ/PIOoXeSxAOuAi xkZzEi4/zXqDWmeDA7CVq74qNvVgfkVg0NXDxqFtmJH/cXwvdGsWbeaZ gu95le0xD12RbYGoxfzM06DT4YLJMPJ4evH26D2xnUolBqZ9tbqjAxcv AdnAllbVw5AcuaYQMCqn3qy/x+M4rJKmExFughKCvnZWXxTlGcZDRDt1 0VFw0g==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

in.                     172800  IN      NS      ns1.registry.in.
in.                     172800  IN      NS      ns2.registry.in.
in.                     172800  IN      NS      ns3.registry.in.
in.                     172800  IN      NS      ns4.registry.in.
in.                     172800  IN      NS      ns5.registry.in.
in.                     172800  IN      NS      ns6.registry.in.
in.                     86400   IN      DS      54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9
in.                     86400   IN      DS      54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C
in.                     86400   IN      RRSIG   DS 8 1 86400 20221016170000 20221003160000 18733 . MH2IwInVoatMPeKOq084SdgHwlSAZxwSKLePZKNixFq/k5B9sjPwTPg2 sD9QebL9yV/nXQQkwouIpWrIk825ZZYSu+jqfPqX+orjMzlD1Md1EVZc TqWf+JqTTmMzGGnocx7ZswBFhTAXn5/g3enPXZqUyyvaxTVJ3QpWe7TQ ZAvK0hVSWRqcYaCJTyblVRB7X64DgiTuU5JBRVSVqcsqGtN2YIPZETlQ Y2deLx2TsaiDhF1YMKUfGVrji9/N3wGn90FGKNXPEOuLxmf4n/tshoaK 0CzachAt5++rERjalNoZjKCBmFF1o2eRi8DCD5Uqi4+qyeHvRTtJrr6d 48Txwg==
;; Received 795 bytes from 193.0.14.129#53(k.root-servers.net) in 42 ms

bsnl.in.                86400   IN      NS      ns12.bsnl.in.
bsnl.in.                86400   IN      NS      ns11.bsnl.in.
u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN NSEC3 1 1 0 - U7T80A19T7AQCC0P8AMD1AC4SCNB2DG5 NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024156 20220929023509 65169 in. OhLJIY+hNU2Iba31vmFAZmg83NwqnSy5kTbfU8cZYFG663HzbGHhdv/K GuGaRoYkqyEPpWfBF/VbAKHWi6F9fIGPR2+P2rKgD2eCzcuttKmq9bhX 4uHehoh+Qr06klPyF+TGp/iQvxyKJIMX0c/AFM2bbG4y/D7qO/5j0cK8 qheSA/XC8aOj/yRrY23Q84506B9plijHJfG3M+/T5qBjCA==
cpcirneso3q726baurorn492qjc704f7.in. 1800 IN NSEC3 1 1 0 - CPDC4IU515A25D00VQOT9RS8DOGC39NO NS DS RRSIG
cpcirneso3q726baurorn492qjc704f7.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024559 20220929023325 65169 in. d+tE+NTWj1j/jbF2vO1vjtwPcxNDdJFFk2VWc3ijj6q/utOfqL/wtZUv tZd6ofRu+M0SHvxGzjJcZpiqMf9HaMOkGKLXfXO1sohlJLqNuQgs4RTr 9VjO1qnfnXZNkSP2aDP9KdnKcwcHHQv4cR6J5hPi7XOaURTIM3kI5YkC yq4rdXQIxtkWC0D+aOUP+mpHrm4+27qbSbYoqOCDDRE9+Q==
;; Received 724 bytes from 2001:502:2eda::20#53(ns5.registry.in) in 54 ms

;; Connection to 218.248.240.178#53(218.248.240.178) for portal.bsnl.in failed: connection refused.
;; Connection to 218.248.240.209#53(218.248.240.209) for portal.bsnl.in failed: connection refused.
[22.05-RELEASE][admin@sg4860.local.lan]/root:

And you get the same warning here
https://dnsviz.net/d/portal.bsnl.in/dnssec/