DNS resolution problem when accessing certain URL's

Muffinman99991

I have activated the DNS Resolver on my PfSense. All Clients which use pfSense as their DNS server, get a DNS error when accessing certain sites like netflix[.]com or adults/porn sites.

I did some troubeshooting and can confirm, that the problem is my pfsense and not another system or the client itself. When my clients do not use pfSense as their DNS server, then they can successfully access all sites.

What have i tried so far:

Checked FW rules and logs (no blocked packets related to this problem) --> I even added a temp AllowAllRule, which did not help.
Activated unbound querie logging to see all queries from the clients. The Queries are visible.
Restarted PfSense (and unbound service)
Use the pfSense "DNS Lookup" tool: Netflix can be resolved successfuly, however all adult sites cannot be resolved.
Used Wireshark to capture the DNS reply from pfSense: "Standard query response 0x29df No such name A www.netflix.com ..."

Is this a known behavior from pfSense? I have the feeling that this has to do with pfSense being a "Enterprise/business" Router and that it is therefore legitimate to not access those kind of websites. However, I'm a bit confused that there is no option which allows me to unlock those sites and access them...

I would appreciate if someone can help me with this.

johnpoz

@muffinman99991 said in DNS resolution problem when accessing certain URL's:

Router and that it is therefore legitimate to not access those kind of websites

No there is no controls with resolving any public site out of the box.

Out of the box pfsense resolves - and would talk directly to the authoritative name servers for a specific domain. Have you adjusted this, are you forwarding or forwarding with tls?

I have no issues resolving netflix

A NX is a specific response, not that it couldn't talk to a server - but that for some reason it believes there is no record for that..

SteveITS

@muffinman99991 Did you change any DNS Resolver settings? (notably, it is on by default) E.g. is it set to forward queries or is it looking up names itself (the default)? Did you set up pfBlocker that would block sites you've selected to block?

Muffinman99991

First of all thx for the quick response :)

@johnpoz As I mentioned, I was also able to resolve netflix[.]com via the pfSense resolver tool (but not from the clients). You should try to resolve p*rnhub.com or any other nudity site with pfsense (will not work over the pfsense tool). If this works on your pfSense, then it seems like I have to factory reset mine and start from scratch...
No, I don't use TLS and I didn't enable the Forwarding Mode.

@SteveITS No, I did not change any Settings (as far as I know...). I use the Resolver witt the forwarding-mode disabled. I also have not installed any additional packages like pfBlocker.

Here are my DNS related configs, maybe there is a setting which was accidentaly changed:

General Settings

Forwarder Disabled:

DNS Resolver Options:

johnpoz

@muffinman99991 no issues resolving pornhub ;)

either via dns tool on pfsense or from a client.

Again out of the box pfsense would do zero filtering of any dns.. The only way you could be filtering on dns is if you were running pfblocker, or ips stopping traffic to some authoritative ns, etc. Or you had created your own records in unbound to block specific fqdn, etc.

Gertjan

@muffinman99991
Can you post the same images as @johnpoz ?

unbound should be listening on 127.0.0.1 which is local on pfSense, so reachable no matter what.
This might shwo :

unbound is told to listen on 17.0.0.1, as your unbound settings look fine to me, if it doesn't, the test will fail.
if unbound is unable to go 'outside' to do it resolver thing, that would show up.

Also : testing starts on the device you use to see the content of netflix.com

is the app, like a browser, using the IP assigned by DHCP as its dns ? This is typucally the LAN IP of pfSense, and the same as the gateway : 192.168.1.1. be aware : apps can use their system's DNS (the IP obtained by there DHCP lease) or use a IP you've set up yourself, or even a hard coded one, completely bypassing pfSense.
test on the command line with "nslookup netflix.com". This will show you what dns is used, normally 192.168.1.1, thus pfSense, and the answer.

Muffinman99991

@gertjan Pfsense uses 127.0.0.1 as it's nameserver (it was displayed then using the pfSense dns lookup tool). I checked all settings on my win10 client and even captured the packets with wireshark: The packets were definitly sent to pfsense and were processed there (i saw the specific lookup request I made in the unbound logs). Good idea to check the resolution with the cli, thx.

However in the meantime, it seems like it's working:
I have noticed that I didn't upgrade my pfSense for more than 3 months. Therefore I checked for updates and saw that the version 2.6.0 was available. I installed it and as of know, the problems are gone.
Don't know if this was a bug in the previous version or what, but it was definitly strange...

@johnpoz @Gertjan @SteveITS Thanks for all the help :)