Issues with resolving and no internet access..

AR15USR

I have recently switched from Squid/Squidgrard to pfblockerNG. Since that switch I have been having issues with long "resolving host..." times, inability to find sites, and complete internet access blockage (even on subnets not monitored by pfblockerNG). Before, this resolving was instantaneous (at least to the human eye). I am running pfBlockerNG-devel 2.2.1.

I have had the TLD feature enabled up until disabling it today, I'll see if this changes anything. With this enabled, my memory utilization was only 47% fyi.

Pics of my settings are below, I can post up log files but I am not sure which one would be apropos, just let me know.

Any ideas where / what to start with?

AR15USR

As an update I have not seen the issue since I disabled TLD setting.

BBcan177

If you are on a Multi-Segmented LAN (ie: VLANS), you will need to enable the "DNSBL Permit rule" option which will allow your VLANs to access the DNSBL VIP.

You should be able to ping and browse to the DNSBL VIP from all VLAN subnets.

AR15USR

I do have it enabled, see screen pic above “Permit firewall rules”, unless you are referring to something else?

The problem though was happening on the LAN. After unchecking the “TLD” feature it got better, but still happens. Never happened before installing pfblockerNG devel.

BBcan177

Timeouts typically only occur when the LAN/VLANs cannot access the DNSBL VIP. When a request is HTTP, the Lighttpd DNSBL webserver sends a 1x1 pixel back to the browser to terminate the connection. For HTTPS blocked domains, the browser will terminate as soon as it sees that the DNSBL Cert is invalid and should drop the connection without delay.

Can you ping and browse to the DNSBL VIP?

AR15USR

@bbcan177

Yes I can browse and ping the VIP (10.10.10.1, the default) (when I browse I see the block page).

Here is an example of how it happens from the user point of view if it helps:

You enter a URL in the browser (Chrome). You see "resolving host..." in the status bar at the bottom, this happens for a minute or so, sometimes faster. Then you get the "This site cant be reached" error. If you type the URL in the browser again it will then resolve and find the site right away. Sometimes you need to enter it a couple times to resolve correctly.

BBcan177

@ar15usr said in Issues with resolving and no internet access..:

You enter a URL in the browser (Chrome). You see “resolving host…” in the status bar at the bottom, this happens for a minute or so, sometimes faster. Then you get the “This site cant be reached” error. If you type the URL in the browser again it will then resolve and find the site right away. Sometimes you need to enter it a couple times to resolve correctly.

Are you using the Resolver in "Forwarder" or "Resolver" mode?

If in "Forwarder" mode, it will use the External DNS Server settings that are defined in the pfSense General Tab DNS settings.

If in "Resolver" mode, it will use the 13 Root DNS Servers for DNS resolution.

If you have DNSSEC enabled, it will work for "Resolver" mode, and also for DNS Servers that support it.

You can increase the log verbosity in the Resolver settings to "2" and then review the pfSense Resolver.log for any error messages.

Also ensure that your LAN devices only have the pfSense IP defined as the DNS Server, so that all DNS requests are filtered before any outbound DNS requests.

Are you using any IP/GeoIP Blocking? or Snort/Suricata? If so, check the Alerts Tab for clues to see if DNS servers are getting blocked which can cause DNS resolution issues.

AR15USR

@BBcan177 I know this topic is kind of old but I thought you might like to know.

The same issue infact re-appeared and has been happening all along, I have just been ignoring it. Recently my wife and son have started complaining so I've been forced to look back in to this.

First thing I did was disable pfBlockerNG and voila, problem instantly stopped. It has not re-appeared since I disabled it a day ago.

I also confirmed I was able to ping and browse the VIP before disabling it. pfSense DNS is in Resolver mode.

Current info:
pfSense 2.4.4-RELEASE-p3
pfBlockerNG-devel 2.2.5_23

I'm not sure if it is the package itself, or a certain feed that causes it. Maybe too many feeds turned on? Here is what I had on:

Feeds:
EasyListAds
ADs
Malicious
hpHosts
BBcan177
BBC - DGA
Cryptojackers

Category"
Shallalist_Porn

If you have any ideas where to start I'd appreciate it.

BBcan177

@AR15USR

Review the Reports/Alerts page to see what domains are being blocked and then click on the "+" icon to whitelist it.

AR15USR

@BBcan177 Its not necessarily a matter of not being able to access the site or it being blocked. What happens is there is a long pause, the browser says "Resolving host..." then 1 of 2 things happens:

1. The site eventually resolves and you land at the requested url. But the wait time is several seconds to ~30 seconds.
2. The site resolving eventually times out and you get the "This site can't be reached..." notice above.

When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.
With pfBlockerNG disabled browsing is lightning fast and I never get the "Resolving host..." delay above.

I have just enabled pfBlockerNG again, but with all dnsbl feeds and categories disabled as a test to see what happens

BBcan177

@AR15USR said in Issues with resolving and no internet access..:

@BBcan177 Its not necessarily a matter of not being able to access the site or it being blocked. What happens is there is a long pause, the browser says "Resolving host..." then 1 of 2 things happens:

The site eventually resolves and you land at the requested url. But the wait time is several seconds to ~30 seconds.
The site resolving eventually times out and you get the "This site can't be reached..." notice above.

When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.
With pfBlockerNG disabled browsing is lightning fast and I never get the "Resolving host..." delay above.
I have just enabled pfBlockerNG again, but with all dnsbl feeds and categories disabled as a test to see what happens

Did you try my other recommendations above... Are you on VLANS? Can you ping/browse to the DNSBL VIP and get a response... If that fails, then you will get a timeout... Also make sure that you are only using pfSense as the DNS server for the LAN devices.

AR15USR

@BBcan177 said in Issues with resolving and no internet access..:

@AR15USR said in Issues with resolving and no internet access..:

@BBcan177 Its not necessarily a matter of not being able to access the site or it being blocked. What happens is there is a long pause, the browser says "Resolving host..." then 1 of 2 things happens:

The site eventually resolves and you land at the requested url. But the wait time is several seconds to ~30 seconds.
The site resolving eventually times out and you get the "This site can't be reached..." notice above.

When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.
With pfBlockerNG disabled browsing is lightning fast and I never get the "Resolving host..." delay above.
I have just enabled pfBlockerNG again, but with all dnsbl feeds and categories disabled as a test to see what happens

Did you try my other recommendations above... Are you on VLANS? Can you ping/browse to the DNSBL VIP and get a response... If that fails, then you will get a timeout... Also make sure that you are only using pfSense as the DNS server for the LAN devices.

Yes I have several VLANS, and I just reverified I can ping w/ response and browse to the VIP successfully from them. I am using the DNS Resolver, the DNS Server settings under General are blank and unchecked, and I have rules setup according to this to forward all DNS to 127.0.0.1.

To answer your other questions:

Are you using the Resolver in "Forwarder" or "Resolver" mode? Resolver

If you have DNSSEC enabled, it will work for "Resolver" mode, and also for DNS Servers that support it. Yes DNSSEC is enabled

You can increase the log verbosity in the Resolver settings to "2" and then review the pfSense Resolver.log for any error messages. Will do this

Also ensure that your LAN devices only have the pfSense IP defined as the DNS Server, so that all DNS requests are filtered before any outbound DNS requests. Checked and verifyied

Are you using any IP/GeoIP Blocking? or Snort/Suricata? If so, check the Alerts Tab for clues to see if DNS servers are getting blocked which can cause DNS resolution issues. Yes using Snort, haven't seen any DNS servers being blocked.

Will continue to further investigate..

BBcan177

@BBcan177 said in Issues with resolving and no internet access..:

When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.

Do you have any proxy enabled?

Are you sure this site is in DNSBL? Try to ping that site and see if it replies back with the DNSBL VIP.

If it doesn't reply with the DNSBL VIP, then there might be some Firewall Rule or NAT rule that is interfering... Try to isolate one rule at a time to see which is causing your issue.

AR15USR

@BBcan177 Thanks for getting back.

I am positive the site(s) are NOT in DNSBL, as I can eventually resolve them if I reload the browser page enough times. I will look through my rules.
FYI I looked through the Resolver logs and did not see any errors.

I am not using a proxy FYI.