pfsense blocking certain/some sites
- 
 @gurveer said in pfsense blocking certain/some sites: it worked (tho disabled dns resolver ) You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)? If so that shouldn't be required and probably indicates some underlying issue. Steve 
- 
 @bingo600 said in pfsense blocking certain/some sites: On the screenshot above this is clearly in error Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site 
- 
 @bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder) 
- 
 @gurveer 
 Remove the 1.1.1.1 too@stephenw10 
 1: I'd expect the "bad domain" to affect all DOT lookups.2: 
 As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
 Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.@Gurveer 
 The DNS Resolver is also called "Unbound ... The program name"
 The settings are here Services --> DNS Resolver What does your config look like there ?? All of it ? 
- 
 @bingo600 still same , stopped resolving portal.bsnl.in and portal.bsnl.in but opens using https://117.239.179.10/ 
- 
 @gurveer 
 Read my "above post" again , i asked something else.What is the ip address of the PC , that is not resolving ? 
 Is it located within your Lan ip range ?
- 
 @bingo600 it ditto same as yours 
- 
 @gurveer 
 But there is MUCH more belowShow it all 
- 
 @bingo600 ya its in lan ip range and non of device opens this site 
- 
 @gurveer 
 If you don't show the Full Resolver config, we have no way of helping you further.See : https://forum.netgate.com/post/1064462 And in Status --> Services is unbound running (the Green Dot)  
- 
 That. Also please show the full output of Diag > DNS Lookup against one of the failing sites. That test checks all configured DNS servers, so Unbound resolving locally plus any you added in Sys > Gen. Setup plus anything passed by DHCP. But clients only use Unbound (by default). 
 So if Diag > Lookup succeeds but clients cannot resolve it's probably because Unbound is failing but some other server is allowing pfSense to resolve that. The full output would show it.Steve 
- 
 @bingo600 ya its in lan ip range and non of device opens this site also if its fine by you i have no problem giving remote access ! 
            
- 
 @stephenw10 here it is  
- 
 Is unbound running ? 
 See here
 https://forum.netgate.com/post/1064464Btw: Your Unbound config looks fine to me 
- 
 
- 
 @gurveer 
 Now things get "hairy" .....I see no reason why unbound shouldn't resolve that : portal.bsnl.in In diag --> Dns lookup , can you resolve ie. google.com or cnn.com or bbc.co.uk 
- 
 @bingo600 all three got resolved 
- 
 Hmm, curious. I have one VM here that fails to resolve those. If I turn up the logging to level to 3 I see: Oct 3 20:59:53 unbound 40999 [40999:1] info: validator operate: query portal2.bsnl.in. A IN Oct 3 20:59:53 unbound 40999 [40999:1] debug: cache memory msg=36309 rrset=50168 infra=10801 val=35656 Oct 3 20:59:53 unbound 40999 [40999:0] error: read (in tcp s): Connection refused for 218.248.240.178 port 53 Oct 3 20:59:53 unbound 40999 [40999:0] debug: outnettcp got tcp error -1But other VMs configured identically and using the same public IP work fine..  
- 
 Weird .... I can resolve via that DNS server from my DNS linux $ host 218.248.240.178 178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in. 178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gvmc.gov.in. 178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gstkarnataka.gov.in. 178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.eofficeharyana.gov.in.$ dig portal2.bsnl.in @218.248.240.178 ; <<>> DiG 9.10.3-P4-Debian <<>> portal2.bsnl.in @218.248.240.178 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57455 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;portal2.bsnl.in. IN A ;; ANSWER SECTION: portal2.bsnl.in. 10800 IN A 117.239.179.10 ;; AUTHORITY SECTION: bsnl.in. 10800 IN NS ns11.bsnl.in. bsnl.in. 10800 IN NS ns12.bsnl.in. ;; ADDITIONAL SECTION: ns11.bsnl.in. 10800 IN A 218.248.240.178 ns12.bsnl.in. 10800 IN A 218.248.240.209 ;; Query time: 301 msec ;; SERVER: 218.248.240.178#53(218.248.240.178) ;; WHEN: Mon Oct 03 22:23:52 CEST 2022 ;; MSG SIZE rcvd: 130Stephen , what happens if you switch to the Forwarder , can you then resolve ? , and if switching back , you can't again ?? Then you have something like OP 
- 
 Mmm, it's just this one VM. Still does it with DNSSec disabled... 



