Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense blocking certain/some sites

    Scheduled Pinned Locked Moved General pfSense Questions
    74 Posts 7 Posters 16.7k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B Offline
      bingo600 @Gurveer
      last edited by

      @gurveer
      Read my "above post" again , i asked something else.

      What is the ip address of the PC , that is not resolving ?
      Is it located within your Lan ip range ?

      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

      G 1 Reply Last reply Reply Quote 0
      • G Offline
        Gurveer @bingo600
        last edited by

        @bingo600 it ditto same as yours

        bingo600B 1 Reply Last reply Reply Quote 0
        • bingo600B Offline
          bingo600 @Gurveer
          last edited by

          @gurveer
          But there is MUCH more below

          Show it all

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          1 Reply Last reply Reply Quote 0
          • G Offline
            Gurveer @bingo600
            last edited by

            @bingo600 ya its in lan ip range and non of device opens this site

            bingo600B 1 Reply Last reply Reply Quote 0
            • bingo600B Offline
              bingo600 @Gurveer
              last edited by bingo600

              @gurveer
              If you don't show the Full Resolver config, we have no way of helping you further.

              See : https://forum.netgate.com/post/1064462

              And in Status --> Services is unbound running (the Green Dot)

              1297f065-56a6-44f6-99fc-ba77f15fae59-image.png

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              G 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                That. Also please show the full output of Diag > DNS Lookup against one of the failing sites.

                That test checks all configured DNS servers, so Unbound resolving locally plus any you added in Sys > Gen. Setup plus anything passed by DHCP. But clients only use Unbound (by default).
                So if Diag > Lookup succeeds but clients cannot resolve it's probably because Unbound is failing but some other server is allowing pfSense to resolve that. The full output would show it.

                Steve

                G 1 Reply Last reply Reply Quote 0
                • G Offline
                  Gurveer @bingo600
                  last edited by

                  @bingo600 ya its in lan ip range and non of device opens this site also if its fine by you i have no problem giving remote access !
                  Screenshot 2022-10-04 at 12.09.25 AM.png Screenshot 2022-10-04 at 12.10.05 AM.png Screenshot 2022-10-04 at 12.10.38 AM.png Screenshot 2022-10-04 at 12.15.41 AM.png Screenshot 2022-10-04 at 12.16.19 AM.png Screenshot 2022-10-04 at 12.17.41 AM.png

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    Gurveer @stephenw10
                    last edited by

                    @stephenw10 here it isScreenshot 2022-10-04 at 12.32.32 AM.png

                    bingo600B 1 Reply Last reply Reply Quote 0
                    • bingo600B Offline
                      bingo600 @Gurveer
                      last edited by

                      @gurveer

                      Is unbound running ?
                      See here
                      https://forum.netgate.com/post/1064464

                      Btw: Your Unbound config looks fine to me

                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      G 1 Reply Last reply Reply Quote 0
                      • G Offline
                        Gurveer @bingo600
                        last edited by

                        @bingo600 said in pfsense blocking certain/some sites:

                        https://forum.netgate.com/post/1064464

                        yup Screenshot 2022-10-04 at 12.36.50 AM.png

                        bingo600B 1 Reply Last reply Reply Quote 0
                        • bingo600B Offline
                          bingo600 @Gurveer
                          last edited by

                          @gurveer
                          Now things get "hairy" .....

                          I see no reason why unbound shouldn't resolve that : portal.bsnl.in

                          In diag --> Dns lookup , can you resolve ie. google.com or cnn.com or bbc.co.uk

                          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                          pfSense+ 23.05.1 (ZFS)

                          QOTOM-Q355G4 Quad Lan.
                          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                          G 1 Reply Last reply Reply Quote 0
                          • G Offline
                            Gurveer @bingo600
                            last edited by

                            @bingo600 all three got resolved

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Hmm, curious. I have one VM here that fails to resolve those. If I turn up the logging to level to 3 I see:

                              Oct 3 20:59:53 	unbound 	40999 	[40999:1] info: validator operate: query portal2.bsnl.in. A IN
                              Oct 3 20:59:53 	unbound 	40999 	[40999:1] debug: cache memory msg=36309 rrset=50168 infra=10801 val=35656
                              Oct 3 20:59:53 	unbound 	40999 	[40999:0] error: read (in tcp s): Connection refused for 218.248.240.178 port 53
                              Oct 3 20:59:53 	unbound 	40999 	[40999:0] debug: outnettcp got tcp error -1 
                              

                              But other VMs configured identically and using the same public IP work fine.. šŸ¤”

                              bingo600B 1 Reply Last reply Reply Quote 0
                              • bingo600B Offline
                                bingo600 @stephenw10
                                last edited by bingo600

                                @stephenw10

                                Weird ....

                                I can resolve via that DNS server from my DNS linux

                                $ host 218.248.240.178
                                178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.
                                178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gvmc.gov.in.
                                178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.gstkarnataka.gov.in.
                                178.240.248.218.in-addr.arpa domain name pointer ns11.bsnl.in.eofficeharyana.gov.in.
                                
                                $ dig portal2.bsnl.in @218.248.240.178
                                
                                ; <<>> DiG 9.10.3-P4-Debian <<>> portal2.bsnl.in @218.248.240.178
                                ;; global options: +cmd
                                ;; Got answer:
                                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57455
                                ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
                                ;; WARNING: recursion requested but not available
                                
                                ;; OPT PSEUDOSECTION:
                                ; EDNS: version: 0, flags:; udp: 4096
                                ;; QUESTION SECTION:
                                ;portal2.bsnl.in.		IN	A
                                
                                ;; ANSWER SECTION:
                                portal2.bsnl.in.	10800	IN	A	117.239.179.10
                                
                                ;; AUTHORITY SECTION:
                                bsnl.in.		10800	IN	NS	ns11.bsnl.in.
                                bsnl.in.		10800	IN	NS	ns12.bsnl.in.
                                
                                ;; ADDITIONAL SECTION:
                                ns11.bsnl.in.		10800	IN	A	218.248.240.178
                                ns12.bsnl.in.		10800	IN	A	218.248.240.209
                                
                                ;; Query time: 301 msec
                                ;; SERVER: 218.248.240.178#53(218.248.240.178)
                                ;; WHEN: Mon Oct 03 22:23:52 CEST 2022
                                ;; MSG SIZE  rcvd: 130
                                
                                

                                Stephen , what happens if you switch to the Forwarder , can you then resolve ? , and if switching back , you can't again ??

                                Then you have something like OP

                                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                pfSense+ 23.05.1 (ZFS)

                                QOTOM-Q355G4 Quad Lan.
                                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Mmm, it's just this one VM.

                                  Still does it with DNSSec disabled...

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator @stephenw10
                                    last edited by johnpoz

                                    @stephenw10 what I can tell what is wrong with their ns, is they do not answer via tcp

                                    So normal via udp works fine.

                                    So like to see a +trace from pfsense

                                    ; <<>> DiG 9.16.26 <<>> portal.bsnl.in +trace
                                    ;; global options: +cmd
                                    .                       45761   IN      NS      j.root-servers.net.
                                    .                       45761   IN      NS      k.root-servers.net.
                                    .                       45761   IN      NS      l.root-servers.net.
                                    .                       45761   IN      NS      m.root-servers.net.
                                    .                       45761   IN      NS      a.root-servers.net.
                                    .                       45761   IN      NS      b.root-servers.net.
                                    .                       45761   IN      NS      c.root-servers.net.
                                    .                       45761   IN      NS      d.root-servers.net.
                                    .                       45761   IN      NS      e.root-servers.net.
                                    .                       45761   IN      NS      f.root-servers.net.
                                    .                       45761   IN      NS      g.root-servers.net.
                                    .                       45761   IN      NS      h.root-servers.net.
                                    .                       45761   IN      NS      i.root-servers.net.
                                    .                       45761   IN      RRSIG   NS 8 0 518400 20221016050000 20221003040000 18733 . YIXaa/EBSQVICUNPRhTRK21PwpQy6pk6zgrYeokFCUG6pPKmfn+7gOiq k12OWXOTYRguXIWv0YauJlYZlRJFOucvxIWI2hE8oeppc5bCDBXUwZ2V 6GDOEYnCkk/8Bh7QgaAGpBYeNbuPj2TD1bDX1dHKOZ/PIOoXeSxAOuAi xkZzEi4/zXqDWmeDA7CVq74qNvVgfkVg0NXDxqFtmJH/cXwvdGsWbeaZ gu95le0xD12RbYGoxfzM06DT4YLJMPJ4evH26D2xnUolBqZ9tbqjAxcv AdnAllbVw5AcuaYQMCqn3qy/x+M4rJKmExFughKCvnZWXxTlGcZDRDt1 0VFw0g==
                                    ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
                                    
                                    in.                     172800  IN      NS      ns1.registry.in.
                                    in.                     172800  IN      NS      ns2.registry.in.
                                    in.                     172800  IN      NS      ns3.registry.in.
                                    in.                     172800  IN      NS      ns4.registry.in.
                                    in.                     172800  IN      NS      ns5.registry.in.
                                    in.                     172800  IN      NS      ns6.registry.in.
                                    in.                     86400   IN      DS      54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9
                                    in.                     86400   IN      DS      54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C
                                    in.                     86400   IN      RRSIG   DS 8 1 86400 20221016170000 20221003160000 18733 . MH2IwInVoatMPeKOq084SdgHwlSAZxwSKLePZKNixFq/k5B9sjPwTPg2 sD9QebL9yV/nXQQkwouIpWrIk825ZZYSu+jqfPqX+orjMzlD1Md1EVZc TqWf+JqTTmMzGGnocx7ZswBFhTAXn5/g3enPXZqUyyvaxTVJ3QpWe7TQ ZAvK0hVSWRqcYaCJTyblVRB7X64DgiTuU5JBRVSVqcsqGtN2YIPZETlQ Y2deLx2TsaiDhF1YMKUfGVrji9/N3wGn90FGKNXPEOuLxmf4n/tshoaK 0CzachAt5++rERjalNoZjKCBmFF1o2eRi8DCD5Uqi4+qyeHvRTtJrr6d 48Txwg==
                                    ;; Received 795 bytes from 198.97.190.53#53(h.root-servers.net) in 58 ms
                                    
                                    bsnl.in.                86400   IN      NS      ns11.bsnl.in.
                                    bsnl.in.                86400   IN      NS      ns12.bsnl.in.
                                    u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN NSEC3 1 1 0 - U7T80A19T7AQCC0P8AMD1AC4SCNB2DG5 NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
                                    u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024156 20220929023509 65169 in. OhLJIY+hNU2Iba31vmFAZmg83NwqnSy5kTbfU8cZYFG663HzbGHhdv/K GuGaRoYkqyEPpWfBF/VbAKHWi6F9fIGPR2+P2rKgD2eCzcuttKmq9bhX 4uHehoh+Qr06klPyF+TGp/iQvxyKJIMX0c/AFM2bbG4y/D7qO/5j0cK8 qheSA/XC8aOj/yRrY23Q84506B9plijHJfG3M+/T5qBjCA==
                                    cpcirneso3q726baurorn492qjc704f7.in. 1800 IN NSEC3 1 1 0 - CPDC4IU515A25D00VQOT9RS8DOGC39NO NS DS RRSIG
                                    cpcirneso3q726baurorn492qjc704f7.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024559 20220929023325 65169 in. d+tE+NTWj1j/jbF2vO1vjtwPcxNDdJFFk2VWc3ijj6q/utOfqL/wtZUv tZd6ofRu+M0SHvxGzjJcZpiqMf9HaMOkGKLXfXO1sohlJLqNuQgs4RTr 9VjO1qnfnXZNkSP2aDP9KdnKcwcHHQv4cR6J5hPi7XOaURTIM3kI5YkC yq4rdXQIxtkWC0D+aOUP+mpHrm4+27qbSbYoqOCDDRE9+Q==
                                    ;; Received 724 bytes from 156.154.100.20#53(ns5.registry.in) in 58 ms
                                    
                                    portal.bsnl.in.         10800   IN      A       117.255.216.68
                                    portal.bsnl.in.         10800   IN      RRSIG   A 7 3 10800 20221010221608 20221003211608 51428 bsnl.in. Vlc2csKOp69KSqiKUQl6iIAzgycNTMj1Oj+84dyYtjatWlBHMvtjkUMK XjhfLoI4RVZkaZgd20KNKddNKwId8Qs+kOH0fYSS4jAkEB+llzt5pOdN 8jYweG5dLFjgZmH67oUDLEjemO7PQiWduPOB7tXU5NukoKqjpD1HtL7m 8qI=
                                    bsnl.in.                10800   IN      NS      ns12.bsnl.in.
                                    bsnl.in.                10800   IN      NS      ns11.bsnl.in.
                                    bsnl.in.                10800   IN      RRSIG   NS 7 2 10800 20221010221602 20221003211602 51428 bsnl.in. XGHAXve5mEGouSP3gISD3XJp3lQnQsk+qSdzm2UHsOlEcvNj0kyNwRl/ 1etqIKNnzByXhh3spngJdOlyMvsrlZfodsviJ/6v3VzlmJoawlUZuLov UddqQmq15Xnj7S3Hi5xPq8rTXIAXvqGSpjUifZDCFlUcmY89iTwpI9Sb FAo=
                                    ;; Received 797 bytes from 218.248.240.209#53(ns12.bsnl.in) in 334 ms
                                    

                                    But notice when you try it via tcp

                                    
                                    [22.05-RELEASE][admin@sg4860.local.lan]/root: dig portal.bsnl.in +trace +tcp
                                    
                                    ; <<>> DiG 9.16.26 <<>> portal.bsnl.in +trace +tcp
                                    ;; global options: +cmd
                                    .                       45742   IN      NS      l.root-servers.net.
                                    .                       45742   IN      NS      m.root-servers.net.
                                    .                       45742   IN      NS      a.root-servers.net.
                                    .                       45742   IN      NS      b.root-servers.net.
                                    .                       45742   IN      NS      c.root-servers.net.
                                    .                       45742   IN      NS      d.root-servers.net.
                                    .                       45742   IN      NS      e.root-servers.net.
                                    .                       45742   IN      NS      f.root-servers.net.
                                    .                       45742   IN      NS      g.root-servers.net.
                                    .                       45742   IN      NS      h.root-servers.net.
                                    .                       45742   IN      NS      i.root-servers.net.
                                    .                       45742   IN      NS      j.root-servers.net.
                                    .                       45742   IN      NS      k.root-servers.net.
                                    .                       45742   IN      RRSIG   NS 8 0 518400 20221016050000 20221003040000 18733 . YIXaa/EBSQVICUNPRhTRK21PwpQy6pk6zgrYeokFCUG6pPKmfn+7gOiq k12OWXOTYRguXIWv0YauJlYZlRJFOucvxIWI2hE8oeppc5bCDBXUwZ2V 6GDOEYnCkk/8Bh7QgaAGpBYeNbuPj2TD1bDX1dHKOZ/PIOoXeSxAOuAi xkZzEi4/zXqDWmeDA7CVq74qNvVgfkVg0NXDxqFtmJH/cXwvdGsWbeaZ gu95le0xD12RbYGoxfzM06DT4YLJMPJ4evH26D2xnUolBqZ9tbqjAxcv AdnAllbVw5AcuaYQMCqn3qy/x+M4rJKmExFughKCvnZWXxTlGcZDRDt1 0VFw0g==
                                    ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
                                    
                                    in.                     172800  IN      NS      ns1.registry.in.
                                    in.                     172800  IN      NS      ns2.registry.in.
                                    in.                     172800  IN      NS      ns3.registry.in.
                                    in.                     172800  IN      NS      ns4.registry.in.
                                    in.                     172800  IN      NS      ns5.registry.in.
                                    in.                     172800  IN      NS      ns6.registry.in.
                                    in.                     86400   IN      DS      54739 8 1 2B5CA455A0E65769FF9DF9E75EC40EE1EC1CDCA9
                                    in.                     86400   IN      DS      54739 8 2 9F122CFD6604AE6DEDA0FE09F27BE340A318F06AFAC11714A73409D4 3136472C
                                    in.                     86400   IN      RRSIG   DS 8 1 86400 20221016170000 20221003160000 18733 . MH2IwInVoatMPeKOq084SdgHwlSAZxwSKLePZKNixFq/k5B9sjPwTPg2 sD9QebL9yV/nXQQkwouIpWrIk825ZZYSu+jqfPqX+orjMzlD1Md1EVZc TqWf+JqTTmMzGGnocx7ZswBFhTAXn5/g3enPXZqUyyvaxTVJ3QpWe7TQ ZAvK0hVSWRqcYaCJTyblVRB7X64DgiTuU5JBRVSVqcsqGtN2YIPZETlQ Y2deLx2TsaiDhF1YMKUfGVrji9/N3wGn90FGKNXPEOuLxmf4n/tshoaK 0CzachAt5++rERjalNoZjKCBmFF1o2eRi8DCD5Uqi4+qyeHvRTtJrr6d 48Txwg==
                                    ;; Received 795 bytes from 193.0.14.129#53(k.root-servers.net) in 42 ms
                                    
                                    bsnl.in.                86400   IN      NS      ns12.bsnl.in.
                                    bsnl.in.                86400   IN      NS      ns11.bsnl.in.
                                    u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN NSEC3 1 1 0 - U7T80A19T7AQCC0P8AMD1AC4SCNB2DG5 NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
                                    u7smslveus494o8dr4h483un5spuc1tu.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024156 20220929023509 65169 in. OhLJIY+hNU2Iba31vmFAZmg83NwqnSy5kTbfU8cZYFG663HzbGHhdv/K GuGaRoYkqyEPpWfBF/VbAKHWi6F9fIGPR2+P2rKgD2eCzcuttKmq9bhX 4uHehoh+Qr06klPyF+TGp/iQvxyKJIMX0c/AFM2bbG4y/D7qO/5j0cK8 qheSA/XC8aOj/yRrY23Q84506B9plijHJfG3M+/T5qBjCA==
                                    cpcirneso3q726baurorn492qjc704f7.in. 1800 IN NSEC3 1 1 0 - CPDC4IU515A25D00VQOT9RS8DOGC39NO NS DS RRSIG
                                    cpcirneso3q726baurorn492qjc704f7.in. 1800 IN RRSIG NSEC3 8 2 1800 20221029024559 20220929023325 65169 in. d+tE+NTWj1j/jbF2vO1vjtwPcxNDdJFFk2VWc3ijj6q/utOfqL/wtZUv tZd6ofRu+M0SHvxGzjJcZpiqMf9HaMOkGKLXfXO1sohlJLqNuQgs4RTr 9VjO1qnfnXZNkSP2aDP9KdnKcwcHHQv4cR6J5hPi7XOaURTIM3kI5YkC yq4rdXQIxtkWC0D+aOUP+mpHrm4+27qbSbYoqOCDDRE9+Q==
                                    ;; Received 724 bytes from 2001:502:2eda::20#53(ns5.registry.in) in 54 ms
                                    
                                    ;; Connection to 218.248.240.178#53(218.248.240.178) for portal.bsnl.in failed: connection refused.
                                    ;; Connection to 218.248.240.209#53(218.248.240.209) for portal.bsnl.in failed: connection refused.
                                    [22.05-RELEASE][admin@sg4860.local.lan]/root: 
                                    

                                    And you get the same warning here
                                    https://dnsviz.net/d/portal.bsnl.in/dnssec/

                                    tcp.jpg

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    bingo600B 1 Reply Last reply Reply Quote 1
                                    • bingo600B Offline
                                      bingo600 @johnpoz
                                      last edited by

                                      @johnpoz
                                      Nice detective work šŸ‘ šŸ‘

                                      Now i have to read up on the various dig features 😊

                                      /Bingo

                                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                      pfSense+ 23.05.1 (ZFS)

                                      QOTOM-Q355G4 Quad Lan.
                                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator @bingo600
                                        last edited by johnpoz

                                        @bingo600 why he would be trying tcp and not udp, not sure. But not answering tcp can cause issues for sure..

                                        Sometimes it is just crazy to me the lack of any understanding of dns for companies that provide servers like websites.. And control their own dns.

                                        Notice the ns are ns11 and ns12 bsnl.in its not like they are having their dns hosted by someone - they have registered their own name servers..

                                        If your going to to do - please have some clue to how to setup and manage dns ;) And if your going to use dnssec - read the rfcs for gosh sake ;) Notice the 11 warnings where they are using the the wrong algo.

                                        Notice this sort of error, when set the limit to 512, which was old limit without edns etc. that would for move to tcp from udp.. You can for sure exceed 512 when doing dnssec

                                        $ dig @ns11.bsnl.in portal2.bsnl.in +dnssec +bufsize=512
                                        ;; Truncated, retrying in TCP mode.
                                        ;; Connection to 218.248.240.178#53(218.248.240.178) for portal2.bsnl.in failed: connection refused.
                                        

                                        see msg size when I ask for dnssec info

                                        ;; Query time: 309 msec
                                        ;; SERVER: 218.248.240.178#53(218.248.240.178)
                                        ;; WHEN: Mon Oct 03 23:08:30 Central Daylight Time 2022
                                        ;; MSG SIZE  rcvd: 798
                                        

                                        If I set bufsize to 798 it works, if set to 797 is fails because its trying to fall back to tcp, which isn't working.. So yeah I could see lots of problems with this domain for sure. If for whatever reason the connection to the NSers are being limited to the udp msg size. below the size of what that server is sending back.

                                        As a hack/workaround to getting this to work, you could forward to say one of the big boys, google, quad9, 1111 etc.. You could setup a domain override for this specific domain, so that when you ask unbound for this specific domain, it forwards to say 8.8.8.8

                                        The correct thing to do would be to figure out why this site isn't answering on tcp and have them fix that, or figure out exactly why there is a limit in the udp size going on..

                                        Maybe his isp is limiting it? And works on other sites because they answer on the tcp fallback, but this site fails because its its not answering on tcp..

                                        edit: see here when I set udp 512 limit, in my query.. It sends back hey this is Truncated the answer will not fit in that size. So the client asks via tcp, but the server not answering on tcp.

                                        TC.jpg

                                        I don't know why pfsense would be limiting its size in its query, not exactly sure why client would be doing that either, so the limit has to be happening somewhere between I would think.

                                        Would be interesting to see the query that is leaving pfsense.. Sniff on the wan while your client asks for the portal.bsnl.in would be good info. See in my sniff, I can tell if a payload size is limited by pfsense. Notice when I just ask, does it ask if a directed query from the client asks ns11 or ns12 directly?

                                        For pfsense to ask, you might have to flush cache of pfsense between queries for it, etc.

                                        Normally should look like this.

                                        udppayload.jpg

                                        edit2:

                                        Has the advanced edns options in unbound been messed with?

                                        unbound.jpg

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        bingo600B G 3 Replies Last reply Reply Quote 2
                                        • bingo600B Offline
                                          bingo600 @johnpoz
                                          last edited by

                                          @johnpoz said in pfsense blocking certain/some sites:

                                          Has the advanced edns options in unbound been messed with?

                                          I doubt it had been messed with by OP

                                          Nice debugging

                                          I'm forwarding pfSense (unbound) DNS queries to my local bind9 server(s).
                                          Primarily because i already had that in place, with working DDNS registration for my home domain.

                                          And i made dual secondary DNS servers in the summerhouse (blush), that my summerhouse pfS is using as forwarders. Summerhouse DNS'es are also registering DDNS on the primary DNS, making all DDNS to replicate via primary to secondaries , and available on both sites.

                                          So any queries from me would be done by bind9.

                                          Btw:
                                          That https://dnsviz.net/ is quite revealing.
                                          Now i have to look into the possibility of RR sigs on my "public domain" (hosted) 😧 - Thanx or ..... Now i can't get that out of my head šŸ¤•

                                          /Bingo

                                          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                          pfSense+ 23.05.1 (ZFS)

                                          QOTOM-Q355G4 Quad Lan.
                                          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • G Offline
                                            Gurveer @johnpoz
                                            last edited by

                                            @johnpoz how to forward this portal2.bsnl.in or portal.bsnl.in to 8.8.8.8 or 1.1.1.1? Please help

                                            GertjanG 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.