Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking Port 53 & Issues Resolving Host Names

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by A Former User

      Dear Negate Community,

      I recently setup DNS over TLS with cloudflare and it's working for the most part except some websites take a long time to load (or even fail occasionally). But once the web page loads, navigating the web page is normal and speedy and will work for a little bit but then revert back to taking a long time to load.

      Also, for example, it stopped pfsenes from finding the new pfsense update, my vpn fails to restart properly and stops pfblockerng from updating until I disable the rule.

      I have isolated the issue to this firewall rule that is blocking port 53:

      52b1a4a1-7442-4002-9a32-0b2dd8f54afb-image.png

      If I disable this firewall rule, all websites load fine. But then, DNS starts going over port 53 and not 853.

      Here are other rules I have for port 53, but I don't think they are affecting my issue:

      1389515e-0cbb-4816-b257-22fb19495435-image.png

      b3790c8a-3971-4b9c-8c5b-d7f3991d7ba4-image.png

      Here is a sample of my state table for 1.0.0.1:
      https://hastebin.com/oqusazuxep.nginx

      Is anyone else experiencing this? Any tips / recommendation would be greatly appreciated!

      Thank you very much!

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        i would check this under dns resolver

        DNS Query Forwarding
        Enable Forwarding Mode If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).

        Use SSL/TLS for outgoing DNS Queries to Forwarding Servers When set in conjunction with DNS Query Forwarding, queries to all upstream forwarding DNS servers will be sent using SSL/TLS on the default port of 853. Note that ALL configured forwarding servers MUST support SSL/TLS queries on port 853. <- and check this

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Hi kiokoman,

          Thanks you, I just double checked and all those settings are checked off already and I am using cloudflare which supports DNS over TLS.

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            and that is 1.1.1.1 and 1.0.0.1 ?

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            ? 1 Reply Last reply Reply Quote 0
            • ?
              A Former User @kiokoman
              last edited by A Former User

              @kiokoman yes sir! and for hostname, I have: 1dot1dot1dot1.cloudflare-dns.com for both of them.

              I broke my internet somehow, fixing that right now 😂

              Update: oh it's back now!

              ? L 2 Replies Last reply Reply Quote 0
              • ?
                A Former User @A Former User
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by A Former User

                  Hello,

                  Just an update:

                  It looks like some websites failing/taking a long time to load was related to snort (although I disabled all packages before as a test and it was still having issues but looks like that's not the case now)

                  In terms of external host names not resolving, such as:

                  1. pfsense not finding an update for itself,
                  2. pfblockerng failing updates, for example with: Could not resolve host: ransomwaretracker.abuse.ch Retry in 5 seconds...
                  3. VPN not working unless I put an IP in the config (instead of hostname)
                  4. No packages appearing under the "available packages"

                  I found that if I did the following it fixed this (But please let me know if this is wrong!):

                  1. Go to System -> General Setup
                  2. Uncheck "Disable DNS Forwarder"
                    Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall
                    By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers in resolv.conf.
                  3. Go to: Services -> DNS Resolver
                  4. Select "All" for the Network Interfaces and Outgoing Network Interfaces.

                  So in summary,

                  1. I have All domain devices' DNS pointing to my internal AD DNS servers via DHCP scope
                  2. I added the pfsense ip to the forwarder list of my AD DNS servers
                  3. Added my AD DNS servers to the DNS resolver domain override setting
                  4. I enabled all interfaces for "network interfaces" and "outgoing network interfaces" in the DNS resolver setting
                  5. I unchecked "Disable DNS forwarder" under System -> General Setup
                  6. Blocking port 53 outbound
                  7. Using cloudflare for DNS over TLS in System -> General Setup

                  If this is borked please let me know! (but it everything seems to be working now... even while blocking port 53 outbound)

                  ? 1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User @A Former User
                    last edited by A Former User

                    @techgeek055 Just another update:

                    all issues seem to be resolved except when visiting websites, I will randomly get 2 different white pages with 2 different errors: DNS_PROBE_STARTED then DNS_PROBE_FINISHED_NXDOMAIN ,then it will load the webpage normally after half a second.

                    Edit: Actually i think it's working without this issue

                    1 Reply Last reply Reply Quote 0
                    • L
                      Law_at_Nexus @A Former User
                      last edited by

                      @techgeek055 hostname one.one.one.one not 1dot1dot1dot1.cloudflare-dns.com

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan
                        last edited by

                        Yep, confirmed :

                        [2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: host 1.1.1.1
1.1.1.1.in-addr.arpa domain name pointer one.one.one.one.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.