Problem with a specific website

brickone · Aug 27, 2021, 7:07 AM

Hi,

i have some issues in reaching a specific website with pfsense 2.5.2-RELEASE (amd64) and earlier versions.

My setup is the follwing:

Internet (DSlite) <-> ISP Router <-WAN- pfSense -LAN-> LAN-Devices

When i try to open the page https://www.deutsche-glasfaser.de i receive a 'server not found' error from all LAN devices behind the pfsense. When i connect directly to the ISP Router, i can open the website, also from LTE with my phone.

All other sites work with no problem.

There is only one LAN firewall rule, Default allow LAN to any rule. Because there are 'private' ip addresses between WAN and ISP Router, i have disabled 'Block private networks and loopback addresses' and 'Block bogon networks'.

A icmp traceroute from pfsense reaches the destination ip address, the DNS lookup is successfull:

Results
Result Record type
185.x.x.x A

I can't see any log entries in WAN or LAN firewall logs.

Any idea what's wrong here or hints for a deeper analysing of this issue..?

Thanks in advance,

brickone

johnpoz · Aug 27, 2021, 7:33 AM

@brickone said in Problem with a specific website:

Result Record type
185.x.x.x A

Why would you hide the ip of a public website? Since you give the fqdn anyway?

Site works fine here - if your resolving it fine. But your browser says 'server not found' - you sure your browser is using your dns, or maybe its using doh - and that is failing to resolve? Or are you using proxy?

Out of the box pfsense doesn't log allowed traffic - so that would explain why your not seeing anything in the firewall log. Do a simple test, sniff on pfsense wan - do you see traffic going to that address? 185.22.44.179, btw it has a really long TTL..

;; ANSWER SECTION:
www.deutsche-glasfaser.de. 86400 IN A 185.22.44.179

That is 24 hours.. Possible they changed IPs and you have old IP cached.. That could explain why when changing your connection to your isp modem, then using different dns resolved whatever the current IP is, etc.

brickone · Aug 27, 2021, 8:24 AM

@johnpoz

Thank you for your response. I was not sure about posting ip adresses so i hide it. :)

There was a misconfiguration with my dns, changing the dns servers to 8.8.8.8 at my phone and pc has worked.

I've configured the ISP DNS servers in pfsense DNS Settings, after enableing DNS Query Forwarding in DNS resolver settings it works as expected.

Still strange that this only affected one website. shrug

Regards,

brickone

Gertjan · Aug 27, 2021, 11:01 AM

@brickone

If something doesn't work after you made your own changes , I advise you to fall back on the initial 'build-in' configuration. That will work.

Their might be one reason why pfSense doesn't want to resolve "deutsche-glasfaser.de" and other DNS ressolvers/forwarders do : because pfSense enforces DNSSEC, if the domain supports it.
But "deutsche-glasfaser.de" doesn't support DNSSEC : https://dnsviz.net/d/deutsche-glasfaser.de/dnssec/

Their is no need or benefit of using ISP DNS servers, neither handing them over to some big company.
( you might gain some mille seconds here and there, true )

johnpoz · Aug 27, 2021, 12:13 PM

@gertjan said in Problem with a specific website:

Their might be one reason why pfSense doesn't want to resolve

No that is not it.. It doesn't support it means nothing if your doing dnssec. You would fail resolving HUGE chunk of the internet if that was the case. Where you have problems if the dnssec is wrong.. or misconfigured. I do dnssec and have no problems resolving it.

edit: Moving to forwarding is not a solution to your problem.. Uggh forwarding..

Did you do a trace? You didn't do any troubleshooting at all, you just went to forwarding? your client showed you that it resolved the address.. So dns wasn't the issue.. Other than maybe a cache problem with the long ttl? We will never know because you didn't actually troubleshoot anything. But switching to forwarding would of flushed the cache.

brickone · Aug 29, 2021, 10:04 AM

Hi,

I did a trace and dns lookup before, both worked.

To clarify this, i‘ve set the provider dns in pfsense wan settings, not in pc/phone settings.

Regards,

brickone

bingo600 · Aug 29, 2021, 3:46 PM

@johnpoz said in Problem with a specific website:
do you see traffic going to that address? 185.22.44.179, btw it has a really long TTL..

;; ANSWER SECTION:
www.deutsche-glasfaser.de. 86400 IN A 185.22.44.179

That is 24 hours.. Possible they changed IPs and you have old IP cached.. That could explain why when changing your connection to your isp modem, then using different dns resolved whatever the current IP is, etc.

~~Wonder if they read @johnpoz message about a 24hr TTL~~
Read next post

I now get :

;; QUESTION SECTION:
;www.deutsche-glasfaser.de. IN A

;; ANSWER SECTION:
www.deutsche-glasfaser.de. 7003 IN A 185.22.44.179

Btw: I have no issue connecting to the site

/Bingo

brickone · Aug 29, 2021, 3:39 PM

Hi,

Unfortunately, i have received a harddisk failure today so i have to reinstall pfsense. This reminds me to activate the auto backup when the configuration is done…

Thanks @all for answering.

Regards,

brickone

bingo600 · Aug 29, 2021, 3:44 PM

@bingo600

Hmm
Seems like my linux laptop has somehow gotten a cached answer , from pfSense unbound (that forwards to my two bind9 machines).

dig from my Linux Mint workstation
The TTL counts down

;www.deutsche-glasfaser.de.	IN	A

;; ANSWER SECTION:
www.deutsche-glasfaser.de. 6175	IN	A	185.22.44.179

dig from my main DNS Bind9 machine (pfSense forwards to this one)

;www.deutsche-glasfaser.de.	IN	A

;; ANSWER SECTION:
www.deutsche-glasfaser.de. 86400 IN	A	185.22.44.179

dig from my backup DNS Bind9 machine (pfSense forwards to this one)

;www.deutsche-glasfaser.de.	IN	A

;; ANSWER SECTION:
www.deutsche-glasfaser.de. 85192 IN	A	185.22.44.179

From this i guess the backup machine resolved the pfSense unbound query , as my main dns showed the full 24hr's.

Never thought about that
Always fun to get smarter on "your own setup" .....

/Bingo

Gertjan · Aug 30, 2021, 6:22 AM

@bingo600 said in Problem with a specific website:

From this i guess the backup machine resolved the pfSense unbound query , as my main dns showed the full 24hr's.

Yep.
If the DNS server where you forwarded to didn't have "the solution" for you, it will resolve, and thus receive the DNS info with the initial full 'TTL', which is

dig @dnsauth001.dg-w.de deutsche-glasfaser.de
....
www.deutsche-glasfaser.de.  86400   IN      A       185.22.44.179
....

If it had the solution for you in cache, if will give that info right back without any further actions. The TTL will be lower of course, and when it reached zero, the info will be removed from the cache.
That is, if you didn't use (checked) this :

I guess bind has the same sort of option.

brickone · Aug 30, 2021, 10:12 AM

Hi,

i have now reinstalled pfsense on a new harddisk, now dns works without forwarding.

Thank you all,

brickone