Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense blocking certain/some sites

    Scheduled Pinned Locked Moved General pfSense Questions
    74 Posts 7 Posters 14.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @stephenw10
      last edited by

      @stephenw10 I agree with a setting based on mtu is prob the best scenario..

      IMHO the problem here is that the NS for this domain doesn't answer on tcp - which is going to cause problems for sure..

      I see a few options here, make sure unbound is using an appropriate size for your network and its connection. If settings are correct, and still having issue then the hack/workaround for such a domain would be to forward for that "specific" domain to remove your connections issue with large udp.

      The nuclear option sure is to forward all your queries and let them worry about it ;) But to me that is burning down the house to kill a spider..

      spider.jpg

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Yes, absolutely the NS should respond to TCP and the fact it doesn't is broken behaviour.

        It's interesting that it's shown this edns buffer issue though. It looks like there probably is a bug there because it shouldn't be 512 in a default config where all the NICs are 1500B MTU.

        It's also interesting that it still failed for me with DNSSec disabled where queries are much smaller.

        Steve

        GertjanG johnpozJ 2 Replies Last reply Reply Quote 1
        • GertjanG
          Gertjan @stephenw10
          last edited by Gertjan

          These are the NS :

          [22.05-RELEASE][root@pfSense.xxxxx.net]/root: dig bsnl.in NS +short
ns11.bsnl.in.
ns12.bsnl.in.

          Not good :

          [22.05-RELEASE][root@pfSense.xxxxx.net]/root: dig portal2.bsnl.in @ns11.bsnl.in +tcp
;; Connection to 218.248.240.178#53(218.248.240.178) for portal2.bsnl.in failed: connection refused.

          Who is 218.248.240.178 :

          [22.05-RELEASE][root@pfSense.xxxxx.net]/root: host 218.248.240.178
          178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gstkarnataka.gov.in.
          178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.
          178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gvmc.gov.in.
          178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.eofficeharyana.gov.in.

          Multiple reverses .... hummm.
          It's "ns11.bsnl.in." who was refusing to answer.

          Good :

          [22.05-RELEASE][root@pfSense.xxxxx.net]/root: dig www.test-domaine.fr @ns1.test-domaine.fr +tcp +short
5.196.43.182

          @Gurveer : go have a talk with those who manage your ns11.bsnl.in. and ns12.bsnl.in.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          johnpozJ G 2 Replies Last reply Reply Quote 1
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Gertjan
            last edited by

            @gertjan said in pfsense blocking certain/some sites:

            talk with those who manage your ns11.bsnl.in. and ns12.bsnl.in.

            I don't think he has anything to do with the site, I think he is just a user trying to get to the site..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            GertjanG 1 Reply Last reply Reply Quote 1
            • GertjanG
              Gertjan @johnpoz
              last edited by

              @johnpoz

              Maybe.
              But some one has to tell some one that something isn't right.
              If in this list with persons there is no place for @Gurveer, then the issue stops.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 1
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @stephenw10
                last edited by

                @stephenw10 said in pfsense blocking certain/some sites:

                DNSSec disabled where queries are much smaller.

                But it is set to hand back servers with every query, which increases the size even with no dnssec, now that size is not anywhere close to 512..

                While its easy to have large udp with dnssec, its not impossible to go over 512 without it.

                The bottom line is those name servers are borked in my professional opinion - borked being a very technical term ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 2
                • bingo600B
                  bingo600 @Gertjan
                  last edited by

                  @gertjan said in pfsense blocking certain/some sites:

                  @bingo600 said in pfsense blocking certain/some sites:

                  Any specific reason or ???

                  Something like : The name servers involved being unable to communicate over TCP (so these names servers 'break' DNS) + a total fxckxd up DNSSEC = his unbound resolver refuses to work.

                  But the OP wrote:

                  thanks mine was set to automatic value based interface mtu changed to unbound default sites started working flawlessly

                  So as i see it there were no need for forwarding.

                  If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                  pfSense+ 23.05.1 (ZFS)

                  QOTOM-Q355G4 Quad Lan.
                  CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                  LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                  1 Reply Last reply Reply Quote 2
                  • G
                    Gurveer @Gertjan
                    last edited by

                    @gertjan i cant cz this my isp's site and isp is run by govt funding

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @Gurveer
                      last edited by johnpoz

                      @gurveer said in pfsense blocking certain/some sites:

                      govt funding

                      Gov site - no wonder its a mess for dns ;) heheheh

                      You should see the mess that is cdc.gov and dnssec

                      https://dnsviz.net/d/cdc.gov/dnssec/

                      Can governments get anything right? ;)

                      gov to cdc.gov: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the gov zone): icdc-us-ns1.cdc.gov, icdc-us-ns3.cdc.gov, icdc-us-ns2.cdc.gov

                      And they using the wrong algo as well..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 1
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Yup, the DNS for that site is broken. <insert it was dns meme>

                        But at least now you know it's broken and how so you can use any of the 3 workarounds to allow access again until it's fixed.

                        Steve

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.