DNS resolving fails for a website

Greetings.

So i have an issue where none of my browsers able to resolve a domain name(otpbank.hu, my bank). But if i do an nslookup in the terminal it returns the correct address. So far this is the only website that has issues and it does not limited to a single machine. I use the resolver built into pfsense and blocked all outside DNS servers.

Any ideas why the hell this single site is failing while others work just fine?

Thanks in advance! :slight_smile:

Are you sure it’s dns and not blocked traffic?
Exclude potential problem locations. Have you ruled out a general problem and not just pf is a problem? If not, check without pf if it works.
Use a different browser.
Use a different dns server preferably DOH.
Is the traffic to the bank’s server able to reach? (mtr)
Does the bank’s domain / ip appear on any blacklist in pf or any browser plugin?

Well if pfsense were the culprit, or any addon i would see the block action in the firewall log(which i didnt). Plus nslookup did resolve the domain correctly:

heathcliff@pop-os:~$ nslookup otpbank.hu 10.125.210.1
Server: 10.125.210.1
Address: 10.125.210.1#53

Non-authoritative answer:
Name: otpbank.hu
Address: 195.228.112.250

I used a website to query an outside DNS but it returned the same IP. As for the DNS server it uses cloudflare. DOH is disabled in the browsers. I tried FF and chromium. FF says it cannot connect, chromium on the other hand spouts out the “DNS_PROBE_FINISHED_NXDOMAIN” error…
Unfortunately cant pull out the pfsense box to test without it.

Something is blocking or not properly forwarding queries from ns.
I can connect to this domain no matter what dns. Just like using IP directly. Are you able to access the site using 195.228.112.250? It should be possible, only cert will report an error but it is not important in the matter of the test.
If you don’t load the bank page even using IP then this is probably not a direct cause in dns.

What does traceroute say? Are you able to get packages to 195.228.112.250?

Turn on DOH and check then. The point is to make inquiries ns bypass your pf completely to be absolutely sure where the problem lies.

You can also force the name to be resolved. Set the domain and IP in HOST. And then turn off DOH in the browser and check if it connects. In this situation, it must work. If it still doesn’t work. It’s rather not a problem in dns. Of course, flushdns on the local machine and on pf, by the way.

If it still doesn’t work then the fault is probably not in dns.

Well when using IP FF just switches over to its DNS name then fails to connect, chromium on the other hand tries with IP and gives the SSL error. Cant run tracert because the server wont respond to ping.

Add -> 195.228.112.250 otpbank.hu <- to the HOST file on the local machine and flushdns…

The name must resolve correctly. If it still doesn’t, then the problem is elsewhere.
What does dig say? Just do not specify a specific NS but let it use what OS has given.

Nope, same issue after adding host file entry. As for NS lookup it will use the local resolver(127.0.0.1):
heathcliff@pop-os:~$ nslookup otpbank.hu
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: otpbank.hu
Address: 195.228.112.250

What i did is bypass this by specifying an NS and direct it to ask the router straight away.

So it seems that this is not a problem with dns. Something is blocking traffic to domain / IP.
Either on the local machine or on pf. Some blacklist, geo location … Some wrong configuration.

Since it is not possible to connect per IP or per domain, even if it is permanently added to the host, it can be quite solidly stated that it is not dns that is to blame.
You have a mess in the system, it would be best to start clean from the beginning.

Are you even able to download index.html?
wget otpbank.hu

Chrome connects over IP, it just throws an ssl error… I bypassed pfsense by sharing my phone’s internet and that way it worked right away. Interesting thing here is it now works over my normal network too… (Probably its cached, a flush dns would kill it i assume.)

I would notice a DNS block because in that case it either wont return anything or it resolves to 10.10.10.1 .

So you did what I said from the beginning. As part of the test, pf box had to be eliminated from the equation.

Let’s regroup.

Since your PC gets the site when it doesn’t send network traffic through the pf box, it can be stated that the local machine is not a problem.

Since the site does not load when the traffic passes through the pf box it can be said that the fault lies somewhere in the pf configuration or on the output of wan. invalid fw rule, vlan configuration …

I still think that it may not have much to do with dns. Your pc could not load the page when it had domain and ip entered in the host. What does this tell us? That it is not necessarily the fault of dns. The machine could not load the site even when external dns servers were eliminated from the equation.

In that case, I still think that the most likely reason will be blocking network traffic somewhere in the pf box. Whether according to IP, Domains, geo location, maybe IDS is turned on and responds badly. Maybe you have vpn / tor / proxy set up and they are blocking this domain.
Maybe the bank has your public IP somewhere on the blacklist. On the other hand, you say that one browser was able to load the site only via IP. :confused:

Perform flush dns. But this time, place the pc behind the pf box again and set dns on the local machine to 1.1.1.1 and unlock 53 on pf. If it still doesn’t work, see how wget reacts and is able to download index.html

You are unable to load site per domain when pf comes into play…
You are able to load the site per domain when pf is out of the question…
You are able to load the site per IP when pf is in the game but only on one browser…

In general, you have an abstract situation and I have to guess in the dark!

PS
No wonder @LTS_Tom charges $ 200 / H

This seems like an pfBlocker-ng issue, if you are using DNSBL functions of pfBlocker you wouldn’t get alert in your firewall logs. But the 10.10.10.1 is the default IP for pfBlocker DNS Blocking.

I would review the feeds you are using for DNSBL for the domain name of your bank.

Just as an experiment i tried wgetting index.html in the standard config:
heathcliff@pop-os:~$ wget https://otpbank.hu/index.html
–2019-11-07 16:15:43-- https://otpbank.hu/index.html
Resolving otpbank.hu (otpbank.hu)… 195.228.112.250
Connecting to otpbank.hu (otpbank.hu)|195.228.112.250|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://www.otpbank.hu/index.html [following]
–2019-11-07 16:15:43-- https://www.otpbank.hu/index.html
Resolving www.otpbank.hu (www.otpbank.hu)… failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘www.otpbank.hu’

So it fails on the second one…

/EDIT
Looked at pfblocker logs, nothing.

/EDIT2
Suricata block list does not contain the resolved ip of www.otpbank.hu…

/EDIT3
Hm, pfsesne actually does resolve it correctly in the webui. Then why the PC’s cannot resolve it?

/EDIT4
Modified the config one of the laptops to use 1.1.1.1, it successfully downloaded index.html.