pfsense blocking certain/some sites

stephenw10

@gurveer said in pfsense blocking certain/some sites:

it worked (tho disabled dns resolver )

You mean you disabled the resolver (Unbound) and enabled the forwarder (DNSMasq)?

If so that shouldn't be required and probably indicates some underlying issue.

Steve

stephenw10

@bingo600 said in pfsense blocking certain/some sites:

On the screenshot above this is clearly in error

Ah, well spotted. Yes if DoT is enabled that would be an issue. Though I would expect it to break everything not just that site

Gurveer

@bingo600 removed the cloudflare-dns.com but nothing happened site still not working (enabled dns resolver ,disabled forwarder)

bingo600

@gurveer
Remove the 1.1.1.1 too

@stephenw10
1: I'd expect the "bad domain" to affect all DOT lookups.

2:
As i read it , with the current selection , the local (127.0.0.1) should take precedence , and just use the 1.1.1.1 stuff if the local fails to resolve correct ?
Since pfSense should be able to resolve, the 1.1.1.1 stuff should not be used at all.

@Gurveer
The DNS Resolver is also called "Unbound ... The program name"
The settings are here Services --> DNS Resolver

What does your config look like there ??

All of it ?

Gurveer

@bingo600 still same , stopped resolving portal.bsnl.in and portal.bsnl.in but opens using https://117.239.179.10/

bingo600

@gurveer
Read my "above post" again , i asked something else.

What is the ip address of the PC , that is not resolving ?
Is it located within your Lan ip range ?

Gurveer

@bingo600 it ditto same as yours

bingo600

@gurveer
But there is MUCH more below

Show it all

Gurveer

@bingo600 ya its in lan ip range and non of device opens this site

bingo600

@gurveer
If you don't show the Full Resolver config, we have no way of helping you further.

See : https://forum.netgate.com/post/1064462

And in Status --> Services is unbound running (the Green Dot)

stephenw10

That. Also please show the full output of Diag > DNS Lookup against one of the failing sites.

That test checks all configured DNS servers, so Unbound resolving locally plus any you added in Sys > Gen. Setup plus anything passed by DHCP. But clients only use Unbound (by default).
So if Diag > Lookup succeeds but clients cannot resolve it's probably because Unbound is failing but some other server is allowing pfSense to resolve that. The full output would show it.

Steve

Gurveer

@bingo600 ya its in lan ip range and non of device opens this site also if its fine by you i have no problem giving remote access !
Screenshot 2022-10-04 at 12.09.25 AM.png Screenshot 2022-10-04 at 12.10.05 AM.png Screenshot 2022-10-04 at 12.15.41 AM.png Screenshot 2022-10-04 at 12.16.19 AM.png Screenshot 2022-10-04 at 12.17.41 AM.png

Gurveer

@stephenw10 here it is Screenshot 2022-10-04 at 12.32.32 AM.png

bingo600

@gurveer

Is unbound running ?
See here
https://forum.netgate.com/post/1064464

Btw: Your Unbound config looks fine to me

Gurveer

@bingo600 said in pfsense blocking certain/some sites:

https://forum.netgate.com/post/1064464

yup Screenshot 2022-10-04 at 12.36.50 AM.png

bingo600

@gurveer
Now things get "hairy" .....

I see no reason why unbound shouldn't resolve that : portal.bsnl.in

In diag --> Dns lookup , can you resolve ie. google.com or cnn.com or bbc.co.uk

Gurveer

@bingo600 all three got resolved

stephenw10

Hmm, curious. I have one VM here that fails to resolve those. If I turn up the logging to level to 3 I see:

Oct 3 20:59:53 	unbound 	40999 	[40999:1] info: validator operate: query portal2.bsnl.in. A IN
Oct 3 20:59:53 	unbound 	40999 	[40999:1] debug: cache memory msg=36309 rrset=50168 infra=10801 val=35656
Oct 3 20:59:53 	unbound 	40999 	[40999:0] error: read (in tcp s): Connection refused for 218.248.240.178 port 53
Oct 3 20:59:53 	unbound 	40999 	[40999:0] debug: outnettcp got tcp error -1

But other VMs configured identically and using the same public IP work fine..

bingo600

@stephenw10

Weird ....

I can resolve via that DNS server from my DNS linux

$ host 218.248.240.178
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gvmc.gov.in.
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gstkarnataka.gov.in.
178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.eofficeharyana.gov.in.

$ dig portal2.bsnl.in @218.248.240.178

; <<>> DiG 9.10.3-P4-Debian <<>> portal2.bsnl.in @218.248.240.178
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57455
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;portal2.bsnl.in.		IN	A

;; ANSWER SECTION:
portal2.bsnl.in.	10800	IN	A	117.239.179.10

;; AUTHORITY SECTION:
bsnl.in.		10800	IN	NS	ns11.bsnl.in.
bsnl.in.		10800	IN	NS	ns12.bsnl.in.

;; ADDITIONAL SECTION:
ns11.bsnl.in.		10800	IN	A	218.248.240.178
ns12.bsnl.in.		10800	IN	A	218.248.240.209

;; Query time: 301 msec
;; SERVER: 218.248.240.178#53(218.248.240.178)
;; WHEN: Mon Oct 03 22:23:52 CEST 2022
;; MSG SIZE  rcvd: 130

Stephen , what happens if you switch to the Forwarder , can you then resolve ? , and if switching back , you can't again ??

Then you have something like OP

stephenw10

Mmm, it's just this one VM.

Still does it with DNSSec disabled...