DNS resolution issue

claferriere

I have recently been having some DNS resolution issues on pfsense SG-4860. We try and connect to a website and the browser cannot connect and indicates that the server cannot be found. When doing a DNS trace in pfsense it finds the ip address. When we try and connect directly to the IP address, same issue. Fire up a vpn app and bingo, the connection works. Now this is recent but nothing has been changed other than DNS servers once in a while after a "namebench" session to establish the best DNS servers. I have enabled DNSSEC for a while now with no issues. I have tried turning pfblocker and DNSBL off, but it doesn't seem to change anything. It seems as though it is an SSL or secure DNS issue. Has anyone had this happen ?
thanks

Chris

johnpoz

@claferriere said in DNS resolution issue:

have enabled DNSSEC for a while now with no issues.

If you are forwarding - that setting makes no sense.. Where you forward either does dnssec or not, you asking for that info means nothing.. Just wasted extra queries. That setting only means something if your actually resolving, and not forwarding..

If you can resolve it, it has nothing to do with dns.. Do a simple nslookup or dig, or host - whatever you fav tool is on to do dns queries on your client. Browser is not one of these.. Do you get response, is the IP correct.

example

C:\>dig www.google.com

; <<>> DiG 9.16.8 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         1489    IN      A       172.217.4.196

;; Query time: 0 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Sat Nov 21 16:21:56 Central Standard Time 2020
;; MSG SIZE  rcvd: 59

If so then the problem is not dns.. If your saying you can not connect even to the IP.. That also points to not a dns problem.

claferriere

OK thanks for the info, I did that and found the issue. Its a browser issue, more specifically a firefox setting: security.tls.version.max which was set too high I gather. Changed it to 3 and it works fine.

Case closed, thanks for your help in seeing this a little more clearly.

regards,

Chris

johnpoz

@claferriere said in DNS resolution issue:

security.tls.version.max

So your site is not even using tls 1.2 - yeah maybe its a good idea your browser was complaining.. Anything below 1.2 is no longer considered secure..

What is the site showing?

I have that setting at 4, which enables 1.3 - I have not run into any sites I could not access.

claferriere

@johnpoz It was actually a Shopify site that wasn't loading. But to be honest this has happened a number of times as of late so I guess many site operators and even cloud based suppliers like shopify are not updating their security.

johnpoz

you mind sharing the actual site - like to check in my browser. If you don't want to make it public, just PM me the url.. Just my curiosity cat meowing at me ;)

I have not run into any sites with such an issue..

I mostly use the latest and greatest firefox, currently on 83 for example.

The main shopify site is using tls 1.3 for example. I would assume sites under that would also be using 1.3??

claferriere

@johnpoz No problem, it appears to be a shopify pet products catalogue: https://boutiqueducompagnon.com

c.

johnpoz

That site comes up with tls 1.3..

So I don't think your setting had anything to do with fixing whatever issue you were having with the site.

Maybe the cert was expired before.. With a 90 day cert age, and it being good til feb 13, would mean it was just recently renewed..

11/15/2020, 4:03:38 PM (Central Standard Time)

To be exact ;)