Curious behavour - DNS problem with support.xbox.com
-
Hi All
Trying to access support.xbox.com and i just get a spinning icon. I've narrowed it down to a DNS issue - if I switch my PC to direct DNS from google it's fine, but if I use unbound on the pfsense box (which uses the same google DNS servers), it spins - regardless of browser or device (iPad, PC, Edge, Firefox, Safari, etc) - it's OK on the iPhone - but that's a mobile page not a desktop site.
Any ideas as to where I can find the problem/error - assume unbound is checking/blocking something?
I run pfblocker, but my Guest Wifi exhibits the same, but that's not covered by pfblocker (exempted when I run the wizard).
thanks
Paul -
@thondwe Just the one hostname? Not xbox.com or microsoft.com or anything else?
I've seen a few posts over the last 8 months about DNS in 22.05 needing a restart to work, but have not experienced any problems on the ones we upgraded. And that was generally any DNS lookup as I recall.
Do you have any non-default settings like DNSSEC on?
-
@steveits unbound settings are all default - what's additional odd today is that Edge on the iPad can now display the site, but NOT Safari - which given they are both webkit underneath is odd. But no other combos work (W11 Edge .
General DNS Settings
DNSSEC
Python Module
Enable Forwarding ModeAdvanced setup - these are ticked
Hide Identity
Hide Version
Harden DNSSEC data
KeepProbingChecking with Chrome, I can see a bunch of errors -
Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css:1
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/js/FabricMdl2Assets.92328aef.chunk.js.map: Unexpected token '<', "<!doctype "... is not valid JSON
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/js/19.46119367.chunk.js.map: Unexpected token '<', "<!doctype "... is not valid JSON
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/js/main.0ba9d07e.chunk.js.map: Unexpected token '<', "<!doctype "... is not valid JSON
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/js/SegoeXboxMdl2.86f85af1.chunk.js.map: Unexpected token '<', "<!doctype "... is not valid JSON
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/js/13.58ae4487.chunk.js.map: Unexpected token '<', "<!doctype "... is not valid JSON
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/css/13.ce81f26f.chunk.css.map: Unexpected token '<', "<!doctype "... is not valid JSON
DevTools failed to load source map: Could not parse content for https://support.xbox.com/static/css/main.b86cbf16.chunk.css.map: Unexpected token '<', "<!doctype "... is not valid JSON -
@thondwe said in Curious behavour - DNS problem with support.xbox.com:
Enable Forwarding Mode
If your going to forward, there is little point to setting dnssec - where you forward does dnssec or it doesn't..
Forwarding mode is not default.. But those errors are not dns related.
-
@thondwe said in Curious behavour - DNS problem with support.xbox.com:
General DNS Settings
DNSSEC
Python Module
Enable Forwarding ModeAdvanced setup - these are ticked
Hide Identity
Hide Version
Harden DNSSEC data
KeepProbingUnless I'm just used to seeing really old settings, I don't think any of those are the out of box default...?
https://support.xbox.com/static/js/FabricMdl2Assets.92328aef.chunk.js.map
This yields a 404 page in my browser. I didn't try the others.
-
@steveits getting errors in your browser about
"Unexpected token '<', "<!doctype "... is not valid JSON"
is not dns issue - you could of not gotten there if support.xbox.com was resolved to an IP. Unless your saying the wrong IP was resolved is the reason for the problem?
But yeah using python mode and forwarding are for sure not "default" settings.
-
@johnpoz said in Curious behavour - DNS problem with support.xbox.com:
is not dns issue
Yep. I didn't explain it at all, but the "token" message is saying, "I asked for JSON but got HTML back and don't know what to do with it."
@Thondwe
Finding out what the DNS answer is on each device might help with the DNS question. I have a Dig app on my phone but it doesn't seem to work lately...haven't looked for another. -
@steveits he should turn off dnssec if he is forwarding - that for sure can be problematic with stuff..
If he is forwarding to google - it already does dnssec..
So for example 9.9.9.10 does not do any dnssec..
$ dig www.dnssec-failed.org @9.9.9.10 ; <<>> DiG 9.16.34 <<>> www.dnssec-failed.org @9.9.9.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59561 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; EDE: 9 (DNSKEY Missing) ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; ANSWER SECTION: www.dnssec-failed.org. 7200 IN A 69.252.193.191 www.dnssec-failed.org. 7200 IN A 68.87.109.242 ;; Query time: 87 msec ;; SERVER: 9.9.9.10#53(9.9.9.10) ;; WHEN: Sat Jan 07 00:35:32 Central Standard Time 2023 ;; MSG SIZE rcvd: 88If you just query 8.8.8.8 which does, it fails because that fqdn dnssec is broken on purpose.
$ dig www.dnssec-failed.org @8.8.8.8 ; <<>> DiG 9.16.34 <<>> www.dnssec-failed.org @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12016 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 110 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Jan 07 00:31:17 Central Standard Time 2023 ;; MSG SIZE rcvd: 50If your going to forward to google, there is no point in having dnssec checked in unbound. its only going to be problematic, cause extra queries and can slow down dns resolution time.
-
@johnpoz Advice re DNSSec noted, though I forward to Cloudfare rather than Google - less tracking - assume it does DNSSEC the same way as Google etc.
Turns out problem was with pfblocker - it replaced one of the URLs that Xbox support uses for stats collection - normally this is fine, but seems to upset the web page and hence sent it into a spin. Don't recall any other issue like that and I've had pfblocker running for a good few years.
Thanks for advice all
Paul -
@thondwe yeah clouldflare does dnssec - no need to enable it in unbound
$ dig www.dnssec-failed.org @1.1.1.1 ; <<>> DiG 9.16.34 <<>> www.dnssec-failed.org @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25889 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dnssec-failed.org.) ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 99 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sat Jan 07 06:20:31 Central Standard Time 2023 ;; MSG SIZE rcvd: 107all the major players do dnssec - unless they have a specific IP to use that doesn't - but all of the main IPs of the major players are doing dnssec out of the box - if your going to forward to them, no need to have it checked in unbound.
