Unbound Not Resolving One Website
-
@cnliberal said in Unbound Not Resolving One Website:
the first IP hit is 10.1.110.1. I'm not sure what that is, as my network is a 10.0.0.0/20:
Well either your mistaken with what your network is.. Or your going out a vpn? your doing that from pfsense.. So that first hop would be your isp device IP.. Which could be anything.. What is the IP of pfsense wan?
is the /20 your lan network? When you traceroute from pfsense, the first hop would be its gateway..
Edit: keep in mind that device along the trace doesn't always have to answer with IP you would expect.. See here
That first 50.x.x.x hop is not my gateway, and see that 2nd hop freaking 10 address.. That clearly is not "correct" ;) But its inside the isp network - so could be..
My gateway is in the 64.x address
-
@johnpoz BOOM. That was the answer. VPN! I have a VPN running and the IP I'm receiving is a 10.1.110.0 IP. I'm assuming that Unbound was using that VPN connection for some reason?? That sounds like something I'd do. I'll go down that path and let you know.
-
@cnliberal if your using a vpn - its quite possible said site blocks known vpn IPs.. Ransomware loves to target medical sites, etc. So yeah could see them blocking all known vpn, or bad rep ips, etc. etc. .
-
@johnpoz That's exactly what I think. However, I'm not sure why DNS is going over that particular VPN. I'm not seeing explicit rules that reference that VPN Tunnel.
-
@cnliberal said in Unbound Not Resolving One Website:
I'm not seeing explicit rules that reference that VPN Tunnel.
You pull routes from vpn, it becomes default.. If you pull routes from multiple last one that connected would set as default..
Not just dns - from your traceroute you could see which default route you took.
-
@johnpoz OK, I've checked the "Don't Pull Routes" from that VPN connection and things seem to be working correctly. I don't think this will affect any other connections I have. We shall see! Thank you VERY much for the assist!
-
@cnliberal if your actually policy routing the stuff you want to use the vpn, like a specific vlan, or specific devices IPs you should be fine.
But be aware - depending on how tight your tinfoil hat is, your dns is going to be leaking now ;) <rolleyes>
-
@johnpoz This is true about DNS leakage. I'm not sure of a better way to accomplish certain internal IPs using the VPN for all traffic including DNS resolution. I do have policy routing in that I have certain IPs running over the VPN tunnel.
-
@cnliberal if your worried about specific clients - best to point them to specific dns that policy routes through your vpn.
If my tinfoil hat was that tight - I would run a different dns on my network where I point such clients, with a domain override to ask pfsense for local resources. That way queries from this dns could be policy routed out a vpn. Or even run multiple name servers on your network depending.. That either forward or resolve - either way makes it very easy to policy route their traffic when they actually on the network vs actually being pfsense.
If you run multiple ones you are also sure there is no cache sharing for different clients or different forwarders. With vm and dockers it really simple to spin up as many different copies of something that you might want to run, etc.
Spinning up say a pihole via docker is pretty simple - run 20 of those if you so desired on some box/nas/pi on your network with their own IPs and able to policy route whatever you want from anything, etc.
Just because pfsense runs unbound or bind. Doesn't mean it always makes sense to use that for everything - depending on your needs/wants.
-
Check the domain name with https://www.zonemaster.net/domain_check.
The next time you 'rent' a domain name, check the quality of the registrar's services.
Issues like "ns1.carle.com" and "ns2.carle.com" are using the same AS, and are even in the same network. That's not ok.
You can correct this, by adding a third one (or remove the second and replace it for another, elsewhere). Slave DNS name services can be found for free on the Internet.Issues like :
is also something that had to be dealt with, many years ago.
Who is this registrar, the local hobby club ? ;)
You're aware now that there are 13 'main root servers'. These know where to find all the top name severs, the ones know all about 'com', 'org', 'net', etc.
These top level name servers have many 'clones'.
The bottleneck are the (minimum) two domain name servers, your "ns1.carle.com" and "ns2.carle.com". These two have, of course, firewall rules that to filter out 'abuse'.
And guess what, what is the third reason why people use VPN's ? Right : to abuse a max.
( the third reason : just to loose some money, and the second : hiding their public WAN IP )
Which means : when you connect to your VPN, and you get an IP that was 'used' for some abusive activity, the IP will get blacklisted for a while.
At that moment, you, withthat VPN WAN IP, will have issues when resolving domain name that are registered (known to) "ns1.carle.com" and "ns2.carle.com".