Strange issue - not sure how to fix
-
Did you set that public IP to resolve as local?
Where are the queries to and from .com server Servers?.. I only see queries for the root servers?
You prob want to set number of packets to capture to 0 vs just the 100..
-
@johnpoz said in Strange issue - not sure how to fix:
Did you set that public IP to resolve as local?
Yes - to obscure my IP address. Wherever it says "local", it originally listed my IP address.
Where are the queries to and from .com server Servers?.. I only see queries for the root servers?
Not sure. But the packet capture was taken while I ran the command dig feedly.com +trace. I ran it again while trying to browse to feedly.com - results below.
You prob want to set number of packets to capture to 0 vs just the 100..
Done below
-
That image is too small for me to make out anything.
Looks like you have some queries for fox.com - but I don't see anything to the cloudflare NS that are for feedly.com
-
Unfortunately, I can't seem to upload any images > 1 mb, so that one was the best resolution I could use (if you click on it to open in a separate tab, it should be more readable)
But it does show DNS queries going out to various name servers. This was occurring while I was trying to load feedly.com (unsuccessfully) and in other tabs browsing to other sites (successfully).
Does this help narrow down the issue at all? -
Dude just shrink it... And it sure isn't showing anything over 100 queries... And I tried clicking into - its too small..
If you click into that you can read it can you not..
-
The pciture is a screenshot from wireshark - it was the max number of lines I could fit on my screen at one time. When I tried to cut and paste the text itself, the forum software rejects it as being spam, so it won't let me post it. However, I searched the capture file on my end - even though I was trying to resolve feedly.com, there were no entries for feedly.com in the capture (and other DNS requests are going out as expected at the exact same time). It's as if the request to resolve feedly.com is not even getting to the DNS resolver. I am not sure where along the way it is getting blocked.
-
And strangest of all - the problem just seemed to fix itself without any intervention on my part. When I tried to browse to feedly.com, it resolved (unfortunately was not performing packet capture at the time). However, I notice that this is at exactly the same time that pfBlocker NG is updating itself/cron job. Is that just a coincidence, or is that pointing to an issue with pfBlocker NG?
-
Spoke too soon - feedly.com resolved in firefox (still using the firefox internal cloudfare DNS lookup) but not safari at the same time - i.e. it could resolve when 1.1.1.1 was used but not unbound. As soon as pfBlocker NG finished its update, firefox could not resolve feedly.com any longer.
-
Tried another packet capture while browsing to feedly.com, pinging feedly.com, and performing an nslookup via the command prompt. During all of that, feedly.com never appeared in the UDP port 53 packet capture, even though other domains did appear as expected (and resolved without issue) - including websites that I have never accessed in the past. The problem does seem to be limited to feedly. I remain mystified.
-
@pfguy2018 said in Strange issue - not sure how to fix:
notice that this is at exactly the same time that pfBlocker NG is updating itself/cron job.
Dude that restarts unbound! And yes that will cause you problems with resolving. As to not seeing anything for feedly in your sniff - because once its cached you don't have to go lookup it up again..
How freaking often do you have pfblocker updating?
Why don't you turn off that firefox nonsense?
Here lets do this - how long has unbound been up?
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.9.1 verbosity: 1 threads: 4 modules: 2 [ validator iterator ] uptime: 555956 seconds options: control(ssl) unbound (pid 83160) is running... [2.4.4-RELEASE][admin@sg4860.local.lan]/root: -
Here is another data point. The issue I noted above where I was able to resolve feedly.com while pfBlockerNG was reloading its lists, but was then unable to resolve it once the cron job finished made me look harder at pfBlockerNG. I found an alias in the firewall rules called pfBlockerNGSuppress, which contained feedly.com as one of the addresses. As soon as I removed feedly from that alias and reloaded, feedly.com resolved immediately. Still not sure how this all fits together, but it seems to be working now, and I will monitor to see if it fails again or whether this has solved the problem.
PfBlocker is set to update hourly, which is the default setting that it came with. Would you suggest a lesser frequency?
I have disabled Firefox's use of cloudfare's DNS servers, as you suggested. Out of interest, is your distaste for the use of these servers based on security concerns, or privacy issues, or some other factor?
EDIT:
Here is the output of that command. Note that I had just reloaded the firewall rules when I deleted the entry in the Suppress list as noted above.
version: 1.9.1 verbosity: 3 threads: 4 modules: 2 [ validator iterator ] uptime: 7515 seconds options: control(ssl) unbound (pid 71227) is running... -
Its all three - I don't want firefox using anything different for dns than what I tell it too! Period.. That that think its ok to do this is just utter madness.. And they are not fooling anyone with there - our users are too freaking stupid, and we are doing it for their own good nonsense..
I have had TRR disabled well before they turned it on.. There is a long running thread about it here..
From that your unbound has only been up for bit over 2 hours... Every time unbound restarts you loose all caching.. So no you shouldn't be restarting it.. Sure and the F not every hour..
I only uses pfblocker for aliases... I don't let it block anything on its own..
edit: Here is the TRR thread.. Been running since 2018
https://forum.netgate.com/topic/133679/heads-up-be-aware-of-trusted-recursive-resolver-trr-in-firefoxYou understand if firefox is bypassing your dns - none of your filtering is of any use at all..
-
Here is what I don't get though:
-
Feedly.com WAS able to be resolved (in non-firefox browsers and portable devices) ONLY when pfBlockerNG was running its cron job (i.e. pfBlockerNG was "down" at the time). Since the only DNS resolver on my network (other than for firefox at that time) is Unbound, does this not suggest that pfBlockerNG was blocking the DNS resolution requests?
-
Why is it that removing the feedly entry from the pfBlockerNGSuppress alias fixed this problem?
Yes, I understand that firefox was bypassing the DNS (not anymore since I disabled that setting though, following your suggestion). I will check out the thread you linked to.
-
-
If you have questions about pfblocker doing dns blocking.. Your best is to ask in that section. I don't use it for that, I only use it for geoip alias lists that I use in my own rules..
-
Fair enough. I appreciate your diligent help over the last couple of days with this vexing issue. Along the way, I have learned a lot thanks to you. Much appreciated. I will continue to monitor this to see if the problem recurs, and will post again if it does. Thanks again.
-
No problem - glad finally figured out the issue.
-
@johnpoz said in Strange issue - not sure how to fix:
No problem - glad finally figured out the issue.
... hopefully! I am keeping my fingers crossed.
-
Looks like I spoke too soon. Problem recurred. And the output of the dig feedly.com + trace command is showing that the root servers are not being reached.
; <<>> DiG 9.12.2-P1 <<>> feedly.com +trace ;; global options: +cmd . 86400 IN NS b.root-servers.net. . 86400 IN NS a.root-servers.net. . 86400 IN NS e.root-servers.net. . 86400 IN NS m.root-servers.net. . 86400 IN NS l.root-servers.net. . 86400 IN NS j.root-servers.net. . 86400 IN NS g.root-servers.net. . 86400 IN NS c.root-servers.net. . 86400 IN NS h.root-servers.net. . 86400 IN NS d.root-servers.net. . 86400 IN NS k.root-servers.net. . 86400 IN NS f.root-servers.net. . 86400 IN NS i.root-servers.net. . 86400 IN RRSIG NS 8 0 518400 20200307170000 20200223160000 33853 . GN9hZh6mOFruU2IWiP4EIvALgU6uQLlXo748wScmwsJYCcmPiPFT6y2q NnsJfg06OrI2qhZueL0NNtcZ5W9hGLFff3nzUcOETUnEWcbW4MwIRWDx VQ4MVMmsnIhWM3BCQdA5hG0eIALwJ+9q3aUe+lHhORN98lpYxfs+tx73 A+GgmNZUm4Coz44hmhJ6G+mM0mYsMLZ1oAvDH/exgo/VExwEA9P3xyRQ b5H09yJdc0cdmygbD8R1L/yjyQUlnyKLOC8ZQ3bpei9NKRXWqv5p29cn pwt4AiaAuZNkCVQA9SIWIKdFVrBh40NsO+RDpEcmh84r30wTVm+qYGT4 PItLag== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 4256 ms ;; connection timed out; no servers could be reachedBut I am able to connect to Feedly because there is a cached entry in Unbound - at least until the cache expires. Back to being mystified.
-
Any chance this NAT rule could be causing the problem?
Source any/any
Destination (non-local DNS resolver)/port 53
Redirect to 127.0.0.1:53Would this be blocking access to the root servers?
-
No your just redirecting say dns to 8.8.8.8 from a client to pfsense..
What unbound restarting when you tested that? Did you sniff while you did that, did you see anything go out? Did you see answers? Look to see how long unbound was running after that..
You sure your not just restarting unbound all the time.. Do you have it registering dhcp?
