Paypal being blocked
-
@manilx Using this for nextdns:
-
-
@michmoor Done! No change
-
@manilx what was done? what do you have as DNS server settings and did you remove your custom options?
Also are your clients using pfsense as their DNS server? -
@michmoor Yes. Exactly what you suggested. Added DNS in General-Setup and removed Custom options in DNS Resolver.
Yes ALL clients use pfsense as DHCP server and DNS. -
@manilx said in Paypal being blocked:
Im not sure how you installed NextDNS as i see there is a way to do this via CLI with a .sh script or if you did this through the instruction on github link .
In either case, as this is a non-standard configuration, the last step i would ask you to do is restart Unbound and see if pfsense can query upstream resolvers.
-
@michmoor Actually Paypal as such is not being blocked because the site opens. Only when it opens the page to enter 2FA code does it take ages to open that one.
I installed nextdns as per their instructions by pasting the code into the DNS Resolver-General Settings-Custom Options.I can also enter the DNS into System-General setup. Doesn't change a thing.
restarting Unbound doesn't help also.This is the only site with an issue in my daily use. It's completely strange and unexplainable.
-
@manilx it does state in the GitHub page
That issue is still Open.
My advice would be to use the standard configuration on pfsense. If you really want to do dns sinkholing use pfblockerNG or PiHole or Adguard but neither of these options involve mucking with Unbound with custom options.
-
@michmoor Thanks for that info! Might do this but as we have tested reverting to using 1.1.1.1 etc didn't help!
Thanks for all you input.
Netgate 8200max
-
@manilx You could make pfSense do DNS...and if it doesn't know, outside source will help (in my case OpenDNS).
-
@manilx Hi,
this is how it is setup!
Again it's not an issue of paypal.com not resolving at all. It resolves and opens. The issue is that when I login and thr 2FA page should appear it takes MINUTES to appear, with the indicator spinning. It then appears I enter the 2fa code and all is well.
This happens on Mac browser or ios app. When I bypass pfsense (by disabling wifi on mobile or using ProtonVPN on Mac) the page opens instantly.
So there is something at play here, which I don't understand and I guess has nothing to do with DNS as such.I tried changing the setting to ignore local DNS and use the remote ones, thus bypassing all the DNS thing in pfsense AND the issue continues!!!!
Netgate 8200max
-
@manilx said in Paypal being blocked:
@manilx Hi,
this is how it is setup!
Again it's not an issue of paypal.com not resolving at all. It resolves and opens. The issue is that when I login and thr 2FA page should appear it takes MINUTES to appear, with the indicator spinning. It then appears I enter the 2fa code and all is well.
This happens on Mac browser or ios app. When I bypass pfsense (by disabling wifi on mobile or using ProtonVPN on Mac) the page opens instantly.
So there is something at play here, which I don't understand and I guess has nothing to do with DNS as such.I tried changing the setting to ignore local DNS and use the remote ones, thus bypassing all the DNS thing in pfsense AND the issue continues!!!!
This could still be a DNS issue or even a routing one. Here's why --
When you disable the Wi-Fi on your phone and have it use the cellular data network, it will be connecting with a totally different IP address (probably even use IPv6 in many areas) and will most likely have its traffic routed over a completely different path to Paypal. Same for your Mac when using the VPN. That traffic will follow a completely different path over the Internet to get to Paypal.
Large sites such as Paypal use CDNs and thus have many servers scattered around the world. Because traffic over the cellular data network or a VPN is likely travelling over a much different route, it will not necessarily hit the same intermediate routers and servers on its way to Paypal as traffic sourced from your LAN through your ISP. The 2FA traffic is what seems to be getting delayed. The fact it takes minutes to complete sounds like a timeout problem somewhere along the path. The primary path or destination is failing, times out, and then a secondary takes over. Again, due to the different paths across the Internet taken by your cellular data and VPN connections, they may not encounter the same failing primary node as traffic routed directly through your ISP connection to Paypal.
Just food for thought and something to investigate while troubleshooting.
-
@manilx said in Paypal being blocked:
Again it's not an issue of paypal.com not resolving at all. It resolves and opens. The issue is that when I login and thr 2FA page should appear it takes MINUTES to appear, with the indicator spinning. It then appears I enter the 2fa code and all is well.
Hello!
A browser like firefox on windows can open a "developer" window (f12) with a network tab that breaks down all of the individual elements on a webpage that are being requested/loaded. A tool like this might help identify the specific resources (2fa) pfsense is having a problem resolving and retrieving.
John
-
@serbus I was just going to say what you said. Clearly, PayPal doesn't like the IP and see what subdomain of PayPal is causing the hiccup (DNS) by going to Tools > Browser Tool - Web Developer Tool...looks like OP has a MAC. PayPal had been monitoring source IP.
-
@nollipfsense That was a good one. I got this in Firefox:
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified 3
Some cookies are misusing the recommended “SameSite“ attribute 6
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified 3
Some cookies are misusing the recommended “SameSite“ attribute 23
Cookie “TLTSID” has been rejected because it is already expired. twofactor
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:59:206
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). moz-extension:59:421
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. twofactor
Cookie “TLTSID” has been rejected because it is already expired. recaptchav3.js
-
@nollipfsense P.S. I get the same problem on chrome or safari. Running Macos Ventura and on iphone ios 16.2
Now trying the same on a Windows VM or on a Mac Mini running macos Monterey I have NO issues.
Something on the latest apple OS'es??????Netgate 8200max
-
@manilx It get's weirder:
I get my IP via dhcp from pfsense:
I have the issue like this.Now when I change this to manually and enter the same IP, gateway, DNS server I don't have the issue!?
What the heck? Go figure. -
@manilx said in Paypal being blocked:
Running Macos Ventura
I recently had an issue with PayPal...I logged in but when I want to pay the screen would flash for a few seconds and disappear would not let me select payment method (bank or credit cards) we (me and PayPal) could not figured it out...I was using Firefox and Venture. That's how I know that PayPal were monitoring IP because I switched from iPhone hotspot to a MacDonalds and they (PayPal staff) ask me were are you.
-
@nollipfsense The solution do this unexplainable problem was an easy one.
In ServicesDNS ResolverGeneral Settings:
DNS resolver was interfering somehow in a strange way. So we'll just take it out of the equation.
Problem solved!
-
@manilx You should not have to do that, in fact, that's for local host that you don't want outside DNS resolving, such as a local server like PBX.
