No internet on LAN
-
@johnpoz it could be my buildings' router that is blocking the DNS queries. Right now I have 3 networks going on. The buildings'LAN/wifi, my unifi router/switch/WAP, and this pfSense VM. the last two are using the buildings' LAN as their WAN, and both have 192.168.0|1 subnet masks
I won't have time today to do the above tests, but will definitely get to it tomorrow. I would also like to maintain DNSSEC and as many defaults as possible before doing my own exploration with subnets and plugins.
Thank you all for your help so far!
-
@rakya well not so much "blocking" they are redirecting to something that is for sure.. For dnssec to function correctly you need to be talking directly to the authoritative name servers for a domain, to validate.. If your being redirected that doesn't function correctly.. Also why dnssec makes no sense when you forward.. While you might not get dnssec validation failing all the time, it quite possible it will fail because of the nature of how dnssec works when you forward.. It is pointless to try and do dnssec when you forward.
If your dns is being redirected, dnssec is not going to function correctly.. To get around the redirection, you could do dns over tls, dnssec will be done to where you forward to in this case.. When you forward, where you forward too either does dnssec, or they don't you asking unbound to directly do dnssec if fowarding is not a valid setup.
You could route your resolving via vpn.. If that is the case then you could do dnssec.
-
Yeah I was assuming the 'building' is the provider in this case.
-
@stephenw10 ah ok.. It might be done on accident, its possible just some default function of the router being used at the location. Or it could be done with purpose? If isp is doing it, I would get with the isp and ask for why.. And if can not get a valid answer, and have them turn that off for you - I would be searching for a different ISP to be honest.
If the building has it enabled, ask them to disable that feature - at least for your connection. It is possible the building is trying to do a good thing and have the router cache dns for its users.. And doesn't really understand the implications of redirection of dns.. And had turned on dns redirection in the router not understanding exactly what that meant.
-
@johnpoz Just to hop in, it may not be malicious in intent…we thought about it briefly for our building, to forward to a DNS filter, but decided it wasn’t worth any potential confusion/hassle (from anyone who knew what they were doing).
-
@SteveITS completely agree, it could be an attempt at helping without understanding the full implications.. Completely agree.
-
@johnpoz @stephenw10
so the building/landlord has a commercial/business grade subscription with my ISP (Spectrum, the local monopoly). And the buildings' wifi setup is very bare bones, they don't give seperate SSID per unit, they have 1 wireless network for everyone. (That's were I was able to sniff packets belonging to my neighbors using Wireshark --just for testing purposes)
that's what prompted the need to get more into network management. And eventually find pfSense and vyos
I'm going to have a very hard time convincing my landlords to ask spectrum about these settings which neither the landlord nor I understand well enough to speak intelligently without use of a forum, and there's not much (really any) alternative isps in the area. -
@rakya You had written it was wired, in your OP... To use wireless you'd want to use your own access point and put it behind your pfSense.
I doubt Spectrum is blocking DNS...more likely the building.
If you connect to the building Wi-Fi, or plug in to the wall, then find out what DNS servers are used (e.g. run "ipconfig /all" at a Windows command line) and then forward pfSense to that.
Services/DNS Resolver:
uncheck "Enable DNSSEC Support"
check "Enable Forwarding Mode"System/General Setup:
add the above DNS server IP(s). one should suffice for testing.Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS said in No internet on LAN:
I doubt Spectrum is blocking DNS...more likely the building.
Completely agree - its most likely a checkbox on the router in the building provided by the carrier.. I find it almost impossible to imagine a business line would be blocking dns.
quick google finds this
https://cleanbrowsing.org/help/docs/disable-spectrum-securityedge/
Security Edge will hijack your DNS and force your network to use the Spectrum DNS provider.
-
@johnpoz said in No internet on LAN:
Security Edge will hijack your DNS and force your network to use the Spectrum DNS provider.
-
@SteveITS
So i found my buildings' dns server address (its in the same address space as my WAN address, does that confirm that I have created a subnet off my buildings LAN?), but pfsense didn't ask for it when I enabled DNS forwarding mode, as you prescribed.Initially I checked the box right under it too for "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" but that made things not work (even though I was still able to ping google while it was on) so I removed it an everything still seems to work.
I had a question about why I should do this:
Am I banking on the upstream DNS having DNSSEC enabled? I was getting a working internet connection without it enabled, what is the point of doing the forward? -
@rakya maybe your not understanding what is going on - they are intercepting your dns, doesn't matter where you point to or forward too.. They intercept and send it to wherever they are sending it too.
Remember when you did the directed query towards 1.2.3.4, that address does not answer dns.. That you got an answer is a smoking gun that they are intercepting your dns. Be it malevolent or benevolent is the only question.. My guess it is benevolent, and either done without knowing, or on purpose trying to help.
See my above post about the setting that can be done on the spectrum routers to do that. I would bet a large sum of money that is what is going on.
Yes normally when you forward, they either do dnssec or they don't the fact that you trust them enough to forward to them would assume trust of them doing dnssec, if you don't trust them to be doing dnssec correctly, why are you forwarding to them.
-
But they may not intercept DoT on port 853 since that would always break. So if you are forwarding to something that accepts DoT, like 8.8.8.8, I'd expect that to work.
-
@stephenw10 very true, using dot or doh to prevent interception is a valid use case for those 2 protocols.
I personally don't have any issues with the actual tech, what I have a problem with is doh, and your browser or app using it without your clear acknowledgement to the fact..
If the network your connected to is intercepting dns, then sure use of dot would be one way to actually forward to where you want without them intercepting it and redirecting it to their own dns.
But its going to be impossible for you to actually resolve in such a setup.. And if your not actually talking to the authoritative NSers then yeah dnssec is going to fail.. As it is designed too do.
So you can either get with the landlord or whoever has access to this isp router to turn off that intercept feature. Or you can just forward and let it be intercepted.. Or you can use forward via dot to circumvent their interception, or you could use doh on your clients directly as another method of circumventing their interception.
Or you could setup a vpn and resolve your dns via the vpn connection, which would also circumvent their interception of your dns.. But with their interception your not going to be able to directly resolve, nor is dnssec going to work.
Turning off dnssec and leaving it in "resolve" mode could work, but your dns is still being intercepted.. And most likely its going to fail, because the answers you get are not really going to be what the resolver is looking for when it resolves.
if it was me I would go the vpn route and resolve through that connection. You could get a cheap vps, couple of bucks a month and just route your dns traffic through that.. if you can not get the building your in to turn off that dns feature of the isp router is doing.
If that is too complicated for you.. Then just setup dot forwarding to some dns you trust to use, googledns, clouldflare, quad9, etc.. etc.. Not like there are not plenty to choose from.. They all have the best interests of everyone for their only motivation for wanting users to send them their dns queries ;) heheheh
I mean its not like these companies are out to make money or anything, I mean how much could it cost to setup a global dns infrastructure that can provide dns to the planet ;) Why not just do it for free.. I mean what else could their motivation be - if not to just provide free service to the planet ;) ehehhehe
