Issues with resolving and no internet access..



  • I have recently switched from Squid/Squidgrard to pfblockerNG. Since that switch I have been having issues with long "resolving host..." times, inability to find sites, and complete internet access blockage (even on subnets not monitored by pfblockerNG). Before, this resolving was instantaneous (at least to the human eye). I am running pfBlockerNG-devel 2.2.1.

    I have had the TLD feature enabled up until disabling it today, I'll see if this changes anything. With this enabled, my memory utilization was only 47% fyi.

    Pics of my settings are below, I can post up log files but I am not sure which one would be apropos, just let me know.

    Any ideas where / what to start with?

    0_1528905584529_Screen Shot 2018-06-12 at 6.41.04 AM.png 0_1528905595948_Screen Shot 2018-06-12 at 8.07.46 AM.png

    0_1528906417627_Screen Shot 2018-06-13 at 9.09.05 AM.png
    0_1528906523395_Screen Shot 2018-06-13 at 8.56.49 AM.png
    0_1528906534133_Screen Shot 2018-06-13 at 8.57.53 AM.png
    0_1528906543901_Screen Shot 2018-06-13 at 8.58.07 AM.png



  • As an update I have not seen the issue since I disabled TLD setting.


  • Moderator

    If you are on a Multi-Segmented LAN (ie: VLANS), you will need to enable the "DNSBL Permit rule" option which will allow your VLANs to access the DNSBL VIP.

    You should be able to ping and browse to the DNSBL VIP from all VLAN subnets.



  • I do have it enabled, see screen pic above “Permit firewall rules”, unless you are referring to something else?

    The problem though was happening on the LAN. After unchecking the “TLD” feature it got better, but still happens. Never happened before installing pfblockerNG devel.


  • Moderator

    Timeouts typically only occur when the LAN/VLANs cannot access the DNSBL VIP. When a request is HTTP, the Lighttpd DNSBL webserver sends a 1x1 pixel back to the browser to terminate the connection. For HTTPS blocked domains, the browser will terminate as soon as it sees that the DNSBL Cert is invalid and should drop the connection without delay.

    Can you ping and browse to the DNSBL VIP?



  • @bbcan177

    Yes I can browse and ping the VIP (10.10.10.1, the default) (when I browse I see the block page).

    Here is an example of how it happens from the user point of view if it helps:

    You enter a URL in the browser (Chrome). You see "resolving host..." in the status bar at the bottom, this happens for a minute or so, sometimes faster. Then you get the "This site cant be reached" error. If you type the URL in the browser again it will then resolve and find the site right away. Sometimes you need to enter it a couple times to resolve correctly.


  • Moderator

    @ar15usr said in Issues with resolving and no internet access..:

    You enter a URL in the browser (Chrome). You see “resolving host…” in the status bar at the bottom, this happens for a minute or so, sometimes faster. Then you get the “This site cant be reached” error. If you type the URL in the browser again it will then resolve and find the site right away. Sometimes you need to enter it a couple times to resolve correctly.

    Are you using the Resolver in "Forwarder" or "Resolver" mode?

    If in "Forwarder" mode, it will use the External DNS Server settings that are defined in the pfSense General Tab DNS settings.

    If in "Resolver" mode, it will use the 13 Root DNS Servers for DNS resolution.

    If you have DNSSEC enabled, it will work for "Resolver" mode, and also for DNS Servers that support it.

    You can increase the log verbosity in the Resolver settings to "2" and then review the pfSense Resolver.log for any error messages.

    Also ensure that your LAN devices only have the pfSense IP defined as the DNS Server, so that all DNS requests are filtered before any outbound DNS requests.

    Are you using any IP/GeoIP Blocking? or Snort/Suricata? If so, check the Alerts Tab for clues to see if DNS servers are getting blocked which can cause DNS resolution issues.



  • @BBcan177 I know this topic is kind of old but I thought you might like to know.

    The same issue infact re-appeared and has been happening all along, I have just been ignoring it. Recently my wife and son have started complaining so I've been forced to look back in to this.

    First thing I did was disable pfBlockerNG and voila, problem instantly stopped. It has not re-appeared since I disabled it a day ago.

    I also confirmed I was able to ping and browse the VIP before disabling it. pfSense DNS is in Resolver mode.

    Current info:
    pfSense 2.4.4-RELEASE-p3
    pfBlockerNG-devel 2.2.5_23

    I'm not sure if it is the package itself, or a certain feed that causes it. Maybe too many feeds turned on? Here is what I had on:

    Feeds:
    EasyListAds
    ADs
    Malicious
    hpHosts
    BBcan177
    BBC - DGA
    Cryptojackers

    Category"
    Shallalist_Porn

    If you have any ideas where to start I'd appreciate it.


  • Moderator

    @AR15USR

    Review the Reports/Alerts page to see what domains are being blocked and then click on the "+" icon to whitelist it.



  • @BBcan177 Its not necessarily a matter of not being able to access the site or it being blocked. What happens is there is a long pause, the browser says "Resolving host..." then 1 of 2 things happens:

    1. The site eventually resolves and you land at the requested url. But the wait time is several seconds to ~30 seconds.
    2. The site resolving eventually times out and you get the "This site can't be reached..." notice above.

    When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.
    With pfBlockerNG disabled browsing is lightning fast and I never get the "Resolving host..." delay above.

    I have just enabled pfBlockerNG again, but with all dnsbl feeds and categories disabled as a test to see what happens


  • Moderator

    @AR15USR said in Issues with resolving and no internet access..:

    @BBcan177 Its not necessarily a matter of not being able to access the site or it being blocked. What happens is there is a long pause, the browser says "Resolving host..." then 1 of 2 things happens:

    The site eventually resolves and you land at the requested url. But the wait time is several seconds to ~30 seconds.
    The site resolving eventually times out and you get the "This site can't be reached..." notice above.

    When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.
    With pfBlockerNG disabled browsing is lightning fast and I never get the "Resolving host..." delay above.
    I have just enabled pfBlockerNG again, but with all dnsbl feeds and categories disabled as a test to see what happens

    Did you try my other recommendations above... Are you on VLANS? Can you ping/browse to the DNSBL VIP and get a response... If that fails, then you will get a timeout... Also make sure that you are only using pfSense as the DNS server for the LAN devices.



  • @BBcan177 said in Issues with resolving and no internet access..:

    @AR15USR said in Issues with resolving and no internet access..:

    @BBcan177 Its not necessarily a matter of not being able to access the site or it being blocked. What happens is there is a long pause, the browser says "Resolving host..." then 1 of 2 things happens:
    

    The site eventually resolves and you land at the requested url. But the wait time is several seconds to ~30 seconds.
    The site resolving eventually times out and you get the "This site can't be reached..." notice above.

    When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.
    With pfBlockerNG disabled browsing is lightning fast and I never get the "Resolving host..." delay above.
    I have just enabled pfBlockerNG again, but with all dnsbl feeds and categories disabled as a test to see what happens

    Did you try my other recommendations above... Are you on VLANS? Can you ping/browse to the DNSBL VIP and get a response... If that fails, then you will get a timeout... Also make sure that you are only using pfSense as the DNS server for the LAN devices.

    Yes I have several VLANS, and I just reverified I can ping w/ response and browse to the VIP successfully from them. I am using the DNS Resolver, the DNS Server settings under General are blank and unchecked, and I have rules setup according to this to forward all DNS to 127.0.0.1.

    To answer your other questions:

    Are you using the Resolver in "Forwarder" or "Resolver" mode? Resolver

    If you have DNSSEC enabled, it will work for "Resolver" mode, and also for DNS Servers that support it. Yes DNSSEC is enabled

    You can increase the log verbosity in the Resolver settings to "2" and then review the pfSense Resolver.log for any error messages. Will do this

    Also ensure that your LAN devices only have the pfSense IP defined as the DNS Server, so that all DNS requests are filtered before any outbound DNS requests. Checked and verifyied

    Are you using any IP/GeoIP Blocking? or Snort/Suricata? If so, check the Alerts Tab for clues to see if DNS servers are getting blocked which can cause DNS resolution issues. Yes using Snort, haven't seen any DNS servers being blocked.

    Will continue to further investigate..


  • Moderator

    @BBcan177 said in Issues with resolving and no internet access..:

    When #2 happens you can reload the url 1 or more times and you eventually get to the site. You never get to the VIP/Block page because the site is not blocked, it does not show in the reports.

    Do you have any proxy enabled?

    Are you sure this site is in DNSBL? Try to ping that site and see if it replies back with the DNSBL VIP.

    If it doesn't reply with the DNSBL VIP, then there might be some Firewall Rule or NAT rule that is interfering... Try to isolate one rule at a time to see which is causing your issue.



  • @BBcan177 Thanks for getting back.

    I am positive the site(s) are NOT in DNSBL, as I can eventually resolve them if I reload the browser page enough times. I will look through my rules.
    FYI I looked through the Resolver logs and did not see any errors.

    I am not using a proxy FYI.


Log in to reply