No internet on LAN
-
@johnpoz Just to hop in, it may not be malicious in intent…we thought about it briefly for our building, to forward to a DNS filter, but decided it wasn’t worth any potential confusion/hassle (from anyone who knew what they were doing).
-
@SteveITS completely agree, it could be an attempt at helping without understanding the full implications.. Completely agree.
-
@johnpoz @stephenw10
so the building/landlord has a commercial/business grade subscription with my ISP (Spectrum, the local monopoly). And the buildings' wifi setup is very bare bones, they don't give seperate SSID per unit, they have 1 wireless network for everyone. (That's were I was able to sniff packets belonging to my neighbors using Wireshark --just for testing purposes)
that's what prompted the need to get more into network management. And eventually find pfSense and vyos
I'm going to have a very hard time convincing my landlords to ask spectrum about these settings which neither the landlord nor I understand well enough to speak intelligently without use of a forum, and there's not much (really any) alternative isps in the area. -
@rakya You had written it was wired, in your OP... To use wireless you'd want to use your own access point and put it behind your pfSense.
I doubt Spectrum is blocking DNS...more likely the building.
If you connect to the building Wi-Fi, or plug in to the wall, then find out what DNS servers are used (e.g. run "ipconfig /all" at a Windows command line) and then forward pfSense to that.
Services/DNS Resolver:
uncheck "Enable DNSSEC Support"
check "Enable Forwarding Mode"System/General Setup:
add the above DNS server IP(s). one should suffice for testing.Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS said in No internet on LAN:
I doubt Spectrum is blocking DNS...more likely the building.
Completely agree - its most likely a checkbox on the router in the building provided by the carrier.. I find it almost impossible to imagine a business line would be blocking dns.
quick google finds this
https://cleanbrowsing.org/help/docs/disable-spectrum-securityedge/
Security Edge will hijack your DNS and force your network to use the Spectrum DNS provider.
-
@johnpoz said in No internet on LAN:
Security Edge will hijack your DNS and force your network to use the Spectrum DNS provider.
-
@SteveITS
So i found my buildings' dns server address (its in the same address space as my WAN address, does that confirm that I have created a subnet off my buildings LAN?), but pfsense didn't ask for it when I enabled DNS forwarding mode, as you prescribed.Initially I checked the box right under it too for "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" but that made things not work (even though I was still able to ping google while it was on) so I removed it an everything still seems to work.
I had a question about why I should do this:
Am I banking on the upstream DNS having DNSSEC enabled? I was getting a working internet connection without it enabled, what is the point of doing the forward? -
@rakya maybe your not understanding what is going on - they are intercepting your dns, doesn't matter where you point to or forward too.. They intercept and send it to wherever they are sending it too.
Remember when you did the directed query towards 1.2.3.4, that address does not answer dns.. That you got an answer is a smoking gun that they are intercepting your dns. Be it malevolent or benevolent is the only question.. My guess it is benevolent, and either done without knowing, or on purpose trying to help.
See my above post about the setting that can be done on the spectrum routers to do that. I would bet a large sum of money that is what is going on.
Yes normally when you forward, they either do dnssec or they don't the fact that you trust them enough to forward to them would assume trust of them doing dnssec, if you don't trust them to be doing dnssec correctly, why are you forwarding to them.
-
But they may not intercept DoT on port 853 since that would always break. So if you are forwarding to something that accepts DoT, like 8.8.8.8, I'd expect that to work.
-
@stephenw10 very true, using dot or doh to prevent interception is a valid use case for those 2 protocols.
I personally don't have any issues with the actual tech, what I have a problem with is doh, and your browser or app using it without your clear acknowledgement to the fact..
If the network your connected to is intercepting dns, then sure use of dot would be one way to actually forward to where you want without them intercepting it and redirecting it to their own dns.
But its going to be impossible for you to actually resolve in such a setup.. And if your not actually talking to the authoritative NSers then yeah dnssec is going to fail.. As it is designed too do.
So you can either get with the landlord or whoever has access to this isp router to turn off that intercept feature. Or you can just forward and let it be intercepted.. Or you can use forward via dot to circumvent their interception, or you could use doh on your clients directly as another method of circumventing their interception.
Or you could setup a vpn and resolve your dns via the vpn connection, which would also circumvent their interception of your dns.. But with their interception your not going to be able to directly resolve, nor is dnssec going to work.
Turning off dnssec and leaving it in "resolve" mode could work, but your dns is still being intercepted.. And most likely its going to fail, because the answers you get are not really going to be what the resolver is looking for when it resolves.
if it was me I would go the vpn route and resolve through that connection. You could get a cheap vps, couple of bucks a month and just route your dns traffic through that.. if you can not get the building your in to turn off that dns feature of the isp router is doing.
If that is too complicated for you.. Then just setup dot forwarding to some dns you trust to use, googledns, clouldflare, quad9, etc.. etc.. Not like there are not plenty to choose from.. They all have the best interests of everyone for their only motivation for wanting users to send them their dns queries ;) heheheh
I mean its not like these companies are out to make money or anything, I mean how much could it cost to setup a global dns infrastructure that can provide dns to the planet ;) Why not just do it for free.. I mean what else could their motivation be - if not to just provide free service to the planet ;) ehehhehe
