ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden

keyser

@TheNarc Is it a more general Internet issue (routing?) that is causing the issue - including meta's challenges?

TheNarc

@keyser I wish I knew. I'm not really sure how to diagnose my issue further. Right now I plan to just try switching back to non-forwarding mode in a day or two and see whether it's still broken. I feel like I'd be able to find some evidence of others reporting similar issues if the root servers have just blocked my VPN provider. But I also think whatever is going on in my case must be external to my configuration, both because it did not coincide with any changes I made, and because it began occurring simultaneously on two separate pfSense machines I administer in two separate physical locations.

keyser

@TheNarc I would tend to agree, but for me coincided with a ISP change (but no pfSense changes - WAN = DHCP).

I'm still unable to poperly resolve names using DOT from pfSense to Quad9. So it's probably something related to TLS sessions/throtteling or whatever.

EDIT: I have no issues using Quad9 as a regular DNS (Not as DOT from pfsense)

keyser

@TheNarc Hmm, it seems it's related to quad9´s regular DNS name records not resolving correct. Depending on where I resolve, dns.quad9.net does not resolve.
That is needed to resolve for DOT to work (used for certificate verification in TLS setup)

TheNarc

@keyser Interesting . . . it certainly feels like these things should be related somehow, but I certainly can't definitively tie them together. I'll report back when I try turning off forwarding mode again in a day or two (maybe later tonight if I get impatient, although I tried earlier today and it was still broken).

keyser

@keyser said in ISP blocking or interfering with traffic? Cant resolve certain domains all of a sudden:

@TheNarc Hmm, it seems it's related to quad9´s regular DNS name records not resolving correct. Depending on where I resolve, dns.quad9.net does not resolve.
That is needed to resolve for DOT to work (used for certificate verification in TLS setup)

I think my issue is releated to a bug I have previously experienced pfSense make. Even though SYSTEM -> GENERAL is set for using Remote only (ignore local DNS), it happens pfSense still uses the local service. I have blocked all DOH/DOT server names with pfBlockerNG DNSBL. That seems to cause my own pfsense no to be able to resolve dns.quad9.net at times (thus killing DOT forwarding from UNBOUND).

Today was the first time in a LOONG time I had WAN down, so it might be happening when WAN is gone, and UNBOUND then continues to remember the NXDOMAIN for dns.quad9.net it got from itself when pfSense tried to use the local DNS service instead of the remote DNS

EDIT: But it's quite hard to troubleshoote because pfBlockerNG does not log blocks of DOT/DOH servers like it does blocks from various block lists.

pftdm007

@keyser When I reported this issue here, the problem had already been ongoing for about a day or so...

Since yesterday afternoon I added 2 more DNS servers in General Setup (76.76.2.0 & 76.76.10.0 and "p0.freedns.controld.com" for DOT) and everything is back to normal for me..... These new DNS servers are inserted BEFORE Quad9' DNS servers. Everything else is as per the screenshots I posted above....

This morning I got a notice from pfsense that unbound was available to update.

unbound: 1.18.0_1 -> 1.19.1 [pfSense]

keyser

@pftdm007 Yeah, Quad9 still does not work for me, so I’m in root resolver mode until further notice.

pftdm007

Are any of you guys still having issues with Quad9? Things worked for a few days for me when I added the FreeDNS servers but since yesterday or so its flaky at best, especially from everything associated with reddit... Will revert to google's servers until further notice

keyser

@pftdm007 I have 2 sites, one site cannot use Quad9 i TLS mode anymore. Works fine i normal forwarding mode, so I’m starting to think it’s my ISP doing something fishy with TLS to that site.