ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden

pftdm007

Quad9 is totally fu***ing up with me. I tried a few other DNS's (should have tried this to begin with, d'oh) and using google's dns (which I refrain due to my absolute and unconditional lack of trust for google) everything is working normally.

So.... I believe that @Gertjan may be right with rate limiting of some sort. Question is why would they rate limit me when I am only a home user? Its not like I'm running servers and websites with TB's of traffic and billions of requests per day....

Gertjan

@pftdm007 said in ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden:

You're saying no forwarding with TLS?

Exact.
Really : try for yourself. Its like magic. Using the DNS as it was meant to be used: getting the info 'from the source' without any intermediates.

So, no I do not need to forward to anyone.

Gertjan

@pftdm007 said in ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden:

Question is why would they rate limit me

You as a person with your device : maybe not.
But .... there was (still is ?) an issue with unbound in the was recycling 'expensive' TLS connection very fast .... and forwarders don't like this at all.
Compare with another one 1.1.1.1 or 8.8.8.8 etc.
Or, as I said above : your IP is (was ?) 'suspect' as it is and stays a VPN ISP IP.

Btw : when I was testing 9.9.9.9 I saw the same thing ....

keyser

@pftdm007 said in ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden:

Quad9 is totally fu***ing up with me. I tried a few other DNS's (should have tried this to begin with, d'oh) and using google's dns (which I refrain due to my absolute and unconditional lack of trust for google) everything is working normally.

So.... I believe that @Gertjan may be right with rate limiting of some sort. Question is why would they rate limit me when I am only a home user? Its not like I'm running servers and websites with TB's of traffic and billions of requests per day....

I have the same issue today with Quad9 which I have been using for a long time without issues.
So either they have changed something today, or UNBOUND has reached a limit or something in its code today that makes it act differently.

bmeeks

@keyser said in ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden:

I have the same issue today with Quad9 which I have been using for a long time without issues.
So either they have changed something today, or UNBOUND has reached a limit or something in its code today that makes it act differently.

Wonder if this might somehow be related to the massive Meta/Facebook/Google auth outage being reported worldwide (started around 10:00 AM EST this morning). Meta/Facebook/Instagram are massively impacted, but lots of reports of Google auth issues as well.

As of around 12:30 PM EST things are reportedly improving on the Meta/Facebook end of things.

keyser

@bmeeks Could be in my case. But the OP started his thread 17 hours ago, so that seems unlikely for him. I’ll do some additional testing.

TheNarc

@bmeeks Probably unrelated, but I feel compelled to mention since this started for me around the same time (about 5 or 6 PM Eastern time yesterday in the U.S.). I've used unbound with forwarding mode disabled for many years with the outgoing interfaces set my VPN provider client interfaces. I've never had a problem. Yesterday, at the time mentioned, DNS resolution began failing on two independent pfSense machines that I administer that are configured in this way.

I found that if I switched the outgoing interface to WAN (i.e. don't route the queries via the VPN tunnels) it worked again. But since I didn't want this, I enabled forwarding mode and configured system DNS servers, routed via the VPN interfaces, and that's working for me. But I have no idea what changed. From outward appearances, it's as if all the root servers stopped accepting queries from my VPN provider.

keyser

@TheNarc Is it a more general Internet issue (routing?) that is causing the issue - including meta's challenges?

TheNarc

@keyser I wish I knew. I'm not really sure how to diagnose my issue further. Right now I plan to just try switching back to non-forwarding mode in a day or two and see whether it's still broken. I feel like I'd be able to find some evidence of others reporting similar issues if the root servers have just blocked my VPN provider. But I also think whatever is going on in my case must be external to my configuration, both because it did not coincide with any changes I made, and because it began occurring simultaneously on two separate pfSense machines I administer in two separate physical locations.

keyser

@TheNarc I would tend to agree, but for me coincided with a ISP change (but no pfSense changes - WAN = DHCP).

I'm still unable to poperly resolve names using DOT from pfSense to Quad9. So it's probably something related to TLS sessions/throtteling or whatever.

EDIT: I have no issues using Quad9 as a regular DNS (Not as DOT from pfsense)

keyser

@TheNarc Hmm, it seems it's related to quad9´s regular DNS name records not resolving correct. Depending on where I resolve, dns.quad9.net does not resolve.
That is needed to resolve for DOT to work (used for certificate verification in TLS setup)

TheNarc

@keyser Interesting . . . it certainly feels like these things should be related somehow, but I certainly can't definitively tie them together. I'll report back when I try turning off forwarding mode again in a day or two (maybe later tonight if I get impatient, although I tried earlier today and it was still broken).

keyser

@keyser said in ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden:

@TheNarc Hmm, it seems it's related to quad9´s regular DNS name records not resolving correct. Depending on where I resolve, dns.quad9.net does not resolve.
That is needed to resolve for DOT to work (used for certificate verification in TLS setup)

I think my issue is releated to a bug I have previously experienced pfSense make. Even though SYSTEM -> GENERAL is set for using Remote only (ignore local DNS), it happens pfSense still uses the local service. I have blocked all DOH/DOT server names with pfBlockerNG DNSBL. That seems to cause my own pfsense no to be able to resolve dns.quad9.net at times (thus killing DOT forwarding from UNBOUND).

Today was the first time in a LOONG time I had WAN down, so it might be happening when WAN is gone, and UNBOUND then continues to remember the NXDOMAIN for dns.quad9.net it got from itself when pfSense tried to use the local DNS service instead of the remote DNS

EDIT: But it's quite hard to troubleshoote because pfBlockerNG does not log blocks of DOT/DOH servers like it does blocks from various block lists.

pftdm007

@keyser When I reported this issue here, the problem had already been ongoing for about a day or so...

Since yesterday afternoon I added 2 more DNS servers in General Setup (76.76.2.0 & 76.76.10.0 and "p0.freedns.controld.com" for DOT) and everything is back to normal for me..... These new DNS servers are inserted BEFORE Quad9' DNS servers. Everything else is as per the screenshots I posted above....

This morning I got a notice from pfsense that unbound was available to update.

unbound: 1.18.0_1 -> 1.19.1 [pfSense]

keyser

@pftdm007 Yeah, Quad9 still does not work for me, so I’m in root resolver mode until further notice.

pftdm007

Are any of you guys still having issues with Quad9? Things worked for a few days for me when I added the FreeDNS servers but since yesterday or so its flaky at best, especially from everything associated with reddit... Will revert to google's servers until further notice

keyser

@pftdm007 I have 2 sites, one site cannot use Quad9 i TLS mode anymore. Works fine i normal forwarding mode, so I’m starting to think it’s my ISP doing something fishy with TLS to that site.