Problem with DNS

blaz23 · Oct 4, 2021, 9:04 PM

Hi to all,

I have really weird issue. I cannot open one website (harveynorman.si). I’m using pfsense as DNS resolver, and pfblocker also. When I’m trying to access website that is blocked over pfblocker I got message that site is blocker, and this is fine. But when I’m trying to access just that one specific site I got error ERR_CONNECTION_TIMED_OUT. I tried DNS lookup on pfsense and got right IP it is 91.233.163.118, also over cmd on Windows host nslookup resolves the website in to right IP.
If I try to reach that site over cellular on my Android phone everything works fine. But on LAN I cannot access that no matter what.
Any help would be great.

bingo600 · Oct 5, 2021, 5:37 AM

@blaz23

1: You can resolve the DNS name
2: You seem to be able to Traceroute to the ip

Basic pre-reqs. for accessing that website is in order.

I don't use pfBlocker ... But have you tried to stop that one , and redo the test ??

/Bingo

Gertjan · Oct 5, 2021, 8:10 AM

@blaz23 said in Problem with DNS:

I have really weird issue.

It's called 'round robin' or 'roulette russe'.

For some reason you gave pfSense a choice.
Use 127.0.0.1 to resolve DNS - and that will be Unbound - and while using unbound, pfBlockerNG also parses the output, and handles upon it.
Use 193.189.160.13 - who ever that might be.
Use 95.176.233.13 - - who ever that might be.

I don't know how pfSense decides what DNS to use, probably, 'the next one' after every request (round robon) or 'random' : the russe game.

I guess you understand that the last two don't use pfBlockerNG. So, when a DNS request is send to one of these, nothing gets blocked.

Why did you enter / use 193.189.160.13 and/or 95.176.233.13. Consider these as remote resolvers.
Supplying (ISP) external DNS servers is something of the past. pfSense has it's own build in resolver.

johnpoz · Oct 6, 2021, 5:06 AM

Also has something else going on - his 10.10.33.1 which I assume is pfsense should resolve to the pfsense name vs unknown

example.. My pfsense running unbound on 192.168.9.253 for dns, it resolves its own name.

> harveynorman.si
Server:  sg4860.local.lan
Address:  192.168.9.253

Non-authoritative answer:
Name:    harveynorman.si
Address:  91.233.163.118

is 10.10.33.1 not pfsense?

blaz23 · Oct 6, 2021, 5:03 AM

@gertjan thank you for your reply. I enabled override DNS over PPP, that's why there are 3 different DNS servers. But also with that config I'm unable to open harveynorman.si website. Now I disabled the other 2 servers but still, this site is unreachable.

Do you have any suggestions maybe?

blaz23 · Oct 6, 2021, 5:06 AM

@johnpoz you're correct, 10.10.33.1 is VIP of pfblockerNG, I can ping that IP and is reachable from my LAN. Today I will turn off pfblocker to see if that is the cause. But it's really weird thing because only that one website is unreachable.

johnpoz · Oct 6, 2021, 5:14 AM

@blaz23 said in Problem with DNS:

10.10.33.1 is VIP of pfblockerN

That is not the address you should be using for dns - that is IP used to point you to a block page..

Gertjan · Oct 6, 2021, 7:17 AM

@blaz23 said in Problem with DNS:

I enabled override DNS over PPP

And is there a reason for this ?
It short cuts the local DNS Resolver, ans stops pfBockerNG from doing its work.
You don't need the DNSs of your ISP, neither 8.8.8.8 or 1.1.1.1 or who ever.

True, ISP can offer DNS for their clients - "stupid" ISP boxes use them so they can implement a very simple forwarder like dnsmasq.
pfSense contains real resolver.

Still, my resolver, using default settings, can resolve harveynorman.si just fine.

Btw : harveynorman.si is using TLS 1.0 and 1.1 : These should be removed.

johnpoz · Oct 6, 2021, 12:24 PM

@gertjan said in Problem with DNS:

harveynorman.si is using TLS 1.0 and 1.1

Yeah I checked as well when you mentioned it.. But also 1.2 so browser should connect via 1.2.. But what maybe could be causing you an issue? Depending on what browser your using??

"This site works only in browsers with SNI support" is listed from the ssl test site.. Not all browsers do that.

The site loads here, it resolves without issue.. So either you have something blocking it. Or browser issue? You show it resolving to the IP that it is using.. If pfblocker was blocking it - you wouldn't get back the IP, etc.

Unless you were using some other firewall rules with pfblocker that using IP to block from some list?

blaz23 · Oct 13, 2021, 4:18 AM

Hi guys,

sorry for my late reply. You found the issue, as you guys mentioned the IP (10.10.33.1) of DNS was wrong. I don't know how this happened, but now everything is working perfectly. Thank you all. You're the best

yangkuki · Nov 25, 2021, 4:34 AM

Very detailed instructions! Thank you!