Firewall blocking Quad9?

CreationGuy · Oct 19, 2022, 3:04 PM

I was looking through the FW logs and noticed this:

WAN interface is the source, why would this be blocked? I am not sure where this would be configured. I do have pfsense set to use DNS TLS / Quad9 using this guide. I don't see any deny's for 9.9.9.9.

johnpoz · Oct 19, 2022, 3:20 PM

@creationguy that is an out of state block notice the A, and then even the FA. The P stands for PUSH which has no effect.

My guess would be your states/state for that connection reset so without a state then yes a ACK would be denied. It amounts to log spam..

CreationGuy · Oct 19, 2022, 3:24 PM

@johnpoz I did reset the Firewall state, just troubleshooting from my other post.

Any reason why the secondary Quad9 IP would be blocked? Is it because it was out of state? I don't see any more blocks now.

johnpoz · Oct 19, 2022, 3:38 PM

@creationguy are you asking why you didn't see block to the 9.9.9.9 address and only the 149 address. Maybe it recreated a state for that connection. Or maybe it was actively using the 149 when you reset the states.

Its not like its going to be using both of them at the same time, etc. To be honest using the 2 different IPs like that can be problematic in the sense that the if they return different sort of results the .112 one is the same as 9.9.9.9 for features but if you were using say the 112.10 or 112.11 those are different than the 9999 one, one is edns enabled and the other is no blocking, etc..

When you set more than one NS, need to make sure they return the exact same info. ie blocking with same lists, dnssec or not, edns or not, etc.. If you use different providers that you forward too you can run into inconsistencies

But seeing ACK sort of blocks are somewhat common to see, they amount to log spam if your seeing a lot of them you might think about disable that logging. If you were seeing SA (SYN,ACK) then that would/could point to asymmetrical flow..

SteveITS · Oct 19, 2022, 3:44 PM

@creationguy what John said, but https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

CreationGuy · Oct 19, 2022, 3:47 PM

@johnpoz
I can remove it, Quad9 says that
9.9.9.9 / 149.112.112.112 is

"Recommended: Malware Blocking, DNSSEC Validation (this is the most typical configuration)"

I figured that 149 was the secondary in case the primary was too slow or went down.

SteveITS · Oct 19, 2022, 3:48 PM

@creationguy said in Firewall blocking Quad9?:

149 was the secondary in case the primary was too slow or went down.

Correct. They do have others, such as .11 and .10
https://www.quad9.net/service/service-addresses-and-features

johnpoz · Oct 19, 2022, 4:13 PM

@creationguy said in Firewall blocking Quad9?:

I figured that 149 was the secondary in case the primary was too slow or went down.

Primary or Secondary are really meaningless terms when it comes do dns.. When you setup multiple NS for a system to use, you really have no way to know which one it will be using at any given time, etc.

Which is why you want to make sure they return the same info.. If one of the NS your using is blocking with list A, even if NS is also a blocking one, but it might be using list B for example - now sometimes something is blocked, and maybe other times its not, etc.

If you want to have more than one NS your forwarding too - that is fine, but 3 days from now you have no idea which one it might be using at the time, etc. So you want to make sure all the NS you list, return the same data. Does it do dnssec, or not, edns, blocking with the same list of bad sites/malware/etc - you mostly can get in trouble with that is when you use different services, opendns vs quad9 or google, etc.

SteveITS · Oct 19, 2022, 4:15 PM

@johnpoz said in Firewall blocking Quad9?:

make sure they return the same info

The two he's using are the same list/service. It's the other IPs that are other variations.

johnpoz · Oct 19, 2022, 4:30 PM

@steveits exactly ;)