pfsense blocking certain/some sites
-
So it's still intermittently failing to resolve?
Does it resolve reliably in Diag > DNS Lookup?
What error do you see when it does resolve?
Steve
-
@stephenw10
I have no issues w. those sites ...
See
https://forum.netgate.com/post/1064413 -
Yup, works fine for me too.
So this looks like either something in your config or in your route.
It's probably not a firewall rule issue though so it would be better to continue here IMO.
You need to try to determine exactly what is failing.
Steve
-
@stephenw10 im kind of noob here also its fresh install just upgraded to plus from ce(sites aint working in both) but in opnsense(fresh install) it works idk whats problem is please help guys tho clinging to opnsense aint any issue but opnsense aint got alias bandwidth limiting
-
@stephenw10 said in pfsense blocking certain/some sites:
So it's still intermittently failing to resolve?
Does it resolve reliably in Diag > DNS Lookup?
What error do you see when it does resolve but still fails to open?Same questions. ^
-
B bingo600 referenced this topic on
-
@gurveer
What happens if you go directly to the website via the ip address ?https://117.239.179.10/You might have to accept (make an exception) on the certificate , as the cert will only match the below marked domains.
After allowing an exception for the website i see this
What do you see ???
Edit:
And just to recap.
Do you still have DNS issues ?Or does a
nslookup portal.bsnl.inReturn the ip address : 117.255.216.68
Edit2:
Did we ever see OP's Unbound Config screenshots and the System --> General setup "DNS section" setup screenshots ??/Bingo
-
B bingo600 referenced this topic on
-
B bingo600 referenced this topic on
-
Mmm, this still feels like a DNS problem until we can prove conclusively it's not!
-
@bingo600 like you said it opened after using ip https://117.239.179.10/ instead portal2.bsnl.in now what to do?
-
@stephenw10 its resolves in diag>dns lookup but aint opening in browser when using portal2.bsnl.in and this is the error i get on browser "This site canāt be reached portal.bsnl.inās DNS address could not be found. Diagnosing the problem.
DNS_PROBE_POSSIBLE" -
@bingo600 where to find unbound configurations and screenshot of dns setup is here!
-
@gurveer
This is the DNS server used by pfSense itself.The DNS resolver requests root DNS servers by default. But you can set it into the forwarder mode, so that it forward queries to even the DNS server stated in general setup.
To enable forwarding mode go to Services > DNS Resolver and check "DNS Query Forwarding".Ensure that you browser uses pfSense for DNS resolution, not some DoH servers.
-
@gurveer said in pfsense blocking certain/some sites:
its resolves in diag>dns lookup
What is the actual result of that test? All configured DNS servers respond? In a timely manner?
If pfSense can resolve that (on all it's comfigured servers) and your client cannot then the only conclusion is that your client is not using pfSense for DNS.
Steve
-
@viragomann thanks it worked (tho disabled dns resolver )btw what does this dns forwarding means ?
-
@stephenw10 @bingo600 @rcoleman-netgate @viragomann thanks alot you guys for helping and bearing me so long
-
@gurveer
I tried to explain above in a view words.
By default the DNS Resolver used root DNS servers (https://www.iana.org/domains/root/servers) to resolve DNS requests.However, in forwarding mode it sends request to the servers you've stated in general setup, to 1.1.1.1 in your case.
There should be reason for the root servers not working. Maybe restrictions in your country, I don't know.
-
On the screenshot above this is clearly in error
linux:~$ host 1.1.1.1 1.1.1.1.in-addr.arpa domain name pointer one.one.one.one. linux:~$ host cloudflare-dns.com Host cloudflare-dns.com not found: 3(NXDOMAIN)And as suggested
Disable forwarding, Remote DNS servers and let pfSense resolve directly.If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@gurveer said in pfsense blocking certain/some sites:
it worked (tho disabled dns resolver )
You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)?
If so that shouldn't be required and probably indicates some underlying issue.
Steve
-
@bingo600 said in pfsense blocking certain/some sites:
On the screenshot above this is clearly in error
Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site
-
@bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)
-
@gurveer
Remove the 1.1.1.1 too@stephenw10
1: I'd expect the "bad domain" to affect all DOT lookups.2:
As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.@Gurveer
The DNS Resolver is also called "Unbound ... The program name"
The settings are here Services --> DNS Resolver
What does your config look like there ??
All of it ?
