Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS resolution issue

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 847 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      claferriere
      last edited by

      I have recently been having some DNS resolution issues on pfsense SG-4860. We try and connect to a website and the browser cannot connect and indicates that the server cannot be found. When doing a DNS trace in pfsense it finds the ip address. When we try and connect directly to the IP address, same issue. Fire up a vpn app and bingo, the connection works. Now this is recent but nothing has been changed other than DNS servers once in a while after a "namebench" session to establish the best DNS servers. I have enabled DNSSEC for a while now with no issues. I have tried turning pfblocker and DNSBL off, but it doesn't seem to change anything. It seems as though it is an SSL or secure DNS issue. Has anyone had this happen ?
      thanks

      Chris

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @claferriere said in DNS resolution issue:

        have enabled DNSSEC for a while now with no issues.

        If you are forwarding - that setting makes no sense.. Where you forward either does dnssec or not, you asking for that info means nothing.. Just wasted extra queries. That setting only means something if your actually resolving, and not forwarding..

        If you can resolve it, it has nothing to do with dns.. Do a simple nslookup or dig, or host - whatever you fav tool is on to do dns queries on your client. Browser is not one of these.. Do you get response, is the IP correct.

        example

        C:\>dig www.google.com
        
        ; <<>> DiG 9.16.8 <<>> www.google.com
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 4096
        ;; QUESTION SECTION:
        ;www.google.com.                        IN      A
        
        ;; ANSWER SECTION:
        www.google.com.         1489    IN      A       172.217.4.196
        
        ;; Query time: 0 msec
        ;; SERVER: 192.168.3.10#53(192.168.3.10)
        ;; WHEN: Sat Nov 21 16:21:56 Central Standard Time 2020
        ;; MSG SIZE  rcvd: 59
        

        If so then the problem is not dns.. If your saying you can not connect even to the IP.. That also points to not a dns problem.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          claferriere
          last edited by

          OK thanks for the info, I did that and found the issue. Its a browser issue, more specifically a firefox setting: security.tls.version.max which was set too high I gather. Changed it to 3 and it works fine.

          Case closed, thanks for your help in seeing this a little more clearly.

          regards,

          Chris

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @claferriere said in DNS resolution issue:

            security.tls.version.max

            So your site is not even using tls 1.2 - yeah maybe its a good idea your browser was complaining.. Anything below 1.2 is no longer considered secure..

            What is the site showing?

            site.png

            I have that setting at 4, which enables 1.3 - I have not run into any sites I could not access.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            C 1 Reply Last reply Reply Quote 0
            • C
              claferriere @johnpoz
              last edited by

              @johnpoz It was actually a Shopify site that wasn't loading. But to be honest this has happened a number of times as of late so I guess many site operators and even cloud based suppliers like shopify are not updating their security.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                you mind sharing the actual site - like to check in my browser. If you don't want to make it public, just PM me the url.. Just my curiosity cat meowing at me ;)

                I have not run into any sites with such an issue..

                I mostly use the latest and greatest firefox, currently on 83 for example.

                The main shopify site is using tls 1.3 for example. I would assume sites under that would also be using 1.3??

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                C 1 Reply Last reply Reply Quote 0
                • C
                  claferriere @johnpoz
                  last edited by

                  @johnpoz No problem, it appears to be a shopify pet products catalogue: https://boutiqueducompagnon.com

                  c.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    That site comes up with tls 1.3..

                    site.png

                    So I don't think your setting had anything to do with fixing whatever issue you were having with the site.

                    Maybe the cert was expired before.. With a 90 day cert age, and it being good til feb 13, would mean it was just recently renewed..

                    11/15/2020, 4:03:38 PM (Central Standard Time)

                    To be exact ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.