Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense blocking certain/some sites

    Scheduled Pinned Locked Moved General pfSense Questions
    74 Posts 7 Posters 16.7k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      @stephenw10 said in pfsense blocking certain/some sites:

      So it's still intermittently failing to resolve?
      Does it resolve reliably in Diag > DNS Lookup?
      What error do you see when it does resolve but still fails to open?

      Same questions. ^ šŸ˜‰

      G 1 Reply Last reply Reply Quote 0
      • bingo600B bingo600 referenced this topic on
      • bingo600B Offline
        bingo600 @Gurveer
        last edited by bingo600

        @gurveer
        What happens if you go directly to the website via the ip address ?

        https://117.239.179.10/
        

        You might have to accept (make an exception) on the certificate , as the cert will only match the below marked domains.

        c478b3af-0e08-4623-be3b-26d447c004e6-image.png

        After allowing an exception for the website i see this

        dca61f03-6ee3-4c08-9459-8a801e7d8814-image.png

        What do you see ???

        Edit:
        And just to recap.
        Do you still have DNS issues ?

        Or does a

        nslookup portal.bsnl.in
        

        Return the ip address : 117.255.216.68

        Edit2:
        Did we ever see OP's Unbound Config screenshots and the System --> General setup "DNS section" setup screenshots ??

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        G 2 Replies Last reply Reply Quote 1
        • bingo600B bingo600 referenced this topic on
        • bingo600B bingo600 referenced this topic on
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Mmm, this still feels like a DNS problem until we can prove conclusively it's not!

          1 Reply Last reply Reply Quote 0
          • G Offline
            Gurveer @bingo600
            last edited by

            @bingo600 like you said it opened after using ip https://117.239.179.10/ instead portal2.bsnl.in now what to do?

            1 Reply Last reply Reply Quote 0
            • G Offline
              Gurveer @stephenw10
              last edited by

              @stephenw10 its resolves in diag>dns lookup but aint opening in browser when using portal2.bsnl.in and this is the error i get on browser "This site can’t be reached portal.bsnl.in’s DNS address could not be found. Diagnosing the problem.
              DNS_PROBE_POSSIBLE"

              stephenw10S 1 Reply Last reply Reply Quote 0
              • G Offline
                Gurveer @bingo600
                last edited by Gurveer

                @bingo600 where to find unbound configurations and screenshot of dns setup is here!Screenshot 2022-10-03 at 10.58.57 PM.png

                V 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @Gurveer
                  last edited by

                  @gurveer
                  This is the DNS server used by pfSense itself.

                  The DNS resolver requests root DNS servers by default. But you can set it into the forwarder mode, so that it forward queries to even the DNS server stated in general setup.
                  To enable forwarding mode go to Services > DNS Resolver and check "DNS Query Forwarding".

                  Ensure that you browser uses pfSense for DNS resolution, not some DoH servers.

                  G 1 Reply Last reply Reply Quote 1
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator @Gurveer
                    last edited by

                    @gurveer said in pfsense blocking certain/some sites:

                    its resolves in diag>dns lookup

                    What is the actual result of that test? All configured DNS servers respond? In a timely manner?

                    If pfSense can resolve that (on all it's comfigured servers) and your client cannot then the only conclusion is that your client is not using pfSense for DNS.

                    Steve

                    G 1 Reply Last reply Reply Quote 1
                    • G Offline
                      Gurveer @viragomann
                      last edited by

                      @viragomann thanks it worked (tho disabled dns resolver )btw what does this dns forwarding means ?

                      V stephenw10S 2 Replies Last reply Reply Quote 0
                      • G Offline
                        Gurveer @stephenw10
                        last edited by

                        @stephenw10 @bingo600 @rcoleman-netgate @viragomann thanks alot you guys for helping and bearing me so long 😁

                        bingo600B 1 Reply Last reply Reply Quote 0
                        • V Offline
                          viragomann @Gurveer
                          last edited by

                          @gurveer
                          I tried to explain above in a view words.
                          By default the DNS Resolver used root DNS servers (https://www.iana.org/domains/root/servers) to resolve DNS requests.

                          However, in forwarding mode it sends request to the servers you've stated in general setup, to 1.1.1.1 in your case.

                          There should be reason for the root servers not working. Maybe restrictions in your country, I don't know.

                          1 Reply Last reply Reply Quote 0
                          • bingo600B Offline
                            bingo600 @Gurveer
                            last edited by bingo600

                            @gurveer

                            On the screenshot above this is clearly in error

                            34a381d3-c139-4793-a0ca-74527e16b321-image.png

                            linux:~$ host 1.1.1.1
                            1.1.1.1.in-addr.arpa domain name pointer one.one.one.one.
                            
                            linux:~$ host cloudflare-dns.com
                            Host cloudflare-dns.com not found: 3(NXDOMAIN)
                            

                            And as suggested
                            Disable forwarding , Remote DNS servers and let pfSense resolve directly.

                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                            pfSense+ 23.05.1 (ZFS)

                            QOTOM-Q355G4 Quad Lan.
                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                            stephenw10S G 2 Replies Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator @Gurveer
                              last edited by

                              @gurveer said in pfsense blocking certain/some sites:

                              it worked (tho disabled dns resolver )

                              You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)?

                              If so that shouldn't be required and probably indicates some underlying issue.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator @bingo600
                                last edited by

                                @bingo600 said in pfsense blocking certain/some sites:

                                On the screenshot above this is clearly in error

                                Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site

                                1 Reply Last reply Reply Quote 0
                                • G Offline
                                  Gurveer @bingo600
                                  last edited by

                                  @bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)

                                  bingo600B 1 Reply Last reply Reply Quote 0
                                  • bingo600B Offline
                                    bingo600 @Gurveer
                                    last edited by bingo600

                                    @gurveer
                                    Remove the 1.1.1.1 too

                                    @stephenw10
                                    1: I'd expect the "bad domain" to affect all DOT lookups.

                                    2:
                                    As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
                                    Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.

                                    @Gurveer
                                    The DNS Resolver is also called "Unbound ... The program name"
                                    The settings are here Services --> DNS Resolver

                                    d2b64fd5-f176-447d-8b1a-c3492021f719-image.png

                                    What does your config look like there ??

                                    All of it ?

                                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                    pfSense+ 23.05.1 (ZFS)

                                    QOTOM-Q355G4 Quad Lan.
                                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                    G 2 Replies Last reply Reply Quote 0
                                    • G Offline
                                      Gurveer @bingo600
                                      last edited by Gurveer

                                      @bingo600 still same , stopped resolving portal.bsnl.in and portal.bsnl.in but opens using https://117.239.179.10/

                                      bingo600B 1 Reply Last reply Reply Quote 0
                                      • bingo600B Offline
                                        bingo600 @Gurveer
                                        last edited by

                                        @gurveer
                                        Read my "above post" again , i asked something else.

                                        What is the ip address of the PC , that is not resolving ?
                                        Is it located within your Lan ip range ?

                                        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                        pfSense+ 23.05.1 (ZFS)

                                        QOTOM-Q355G4 Quad Lan.
                                        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                        G 1 Reply Last reply Reply Quote 0
                                        • G Offline
                                          Gurveer @bingo600
                                          last edited by

                                          @bingo600 it ditto same as yours

                                          bingo600B 1 Reply Last reply Reply Quote 0
                                          • bingo600B Offline
                                            bingo600 @Gurveer
                                            last edited by

                                            @gurveer
                                            But there is MUCH more below

                                            Show it all

                                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                            pfSense+ 23.05.1 (ZFS)

                                            QOTOM-Q355G4 Quad Lan.
                                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.