So i have an issue where none of my browsers able to resolve a domain name(otpbank.hu, my bank). But if i do an nslookup in the terminal it returns the correct address. So far this is the only website that has issues and it does not limited to a single machine. I use the resolver built into pfsense and blocked all outside DNS servers.
Any ideas why the hell this single site is failing while others work just fine?
Are you sure it’s dns and not blocked traffic?
Exclude potential problem locations. Have you ruled out a general problem and not just pf is a problem? If not, check without pf if it works.
Use a different browser.
Use a different dns server preferably DOH.
Is the traffic to the bank’s server able to reach? (mtr)
Does the bank’s domain / ip appear on any blacklist in pf or any browser plugin?
I used a website to query an outside DNS but it returned the same IP. As for the DNS server it uses cloudflare. DOH is disabled in the browsers. I tried FF and chromium. FF says it cannot connect, chromium on the other hand spouts out the “DNS_PROBE_FINISHED_NXDOMAIN” error…
Unfortunately cant pull out the pfsense box to test without it.
Something is blocking or not properly forwarding queries from ns.
I can connect to this domain no matter what dns. Just like using IP directly. Are you able to access the site using 22.214.171.124? It should be possible, only cert will report an error but it is not important in the matter of the test.
If you don’t load the bank page even using IP then this is probably not a direct cause in dns.
What does traceroute say? Are you able to get packages to 126.96.36.199?
Turn on DOH and check then. The point is to make inquiries ns bypass your pf completely to be absolutely sure where the problem lies.
You can also force the name to be resolved. Set the domain and IP in HOST. And then turn off DOH in the browser and check if it connects. In this situation, it must work. If it still doesn’t work. It’s rather not a problem in dns. Of course, flushdns on the local machine and on pf, by the way.
If it still doesn’t work then the fault is probably not in dns.
Well when using IP FF just switches over to its DNS name then fails to connect, chromium on the other hand tries with IP and gives the SSL error. Cant run tracert because the server wont respond to ping.
So it seems that this is not a problem with dns. Something is blocking traffic to domain / IP.
Either on the local machine or on pf. Some blacklist, geo location … Some wrong configuration.
Since it is not possible to connect per IP or per domain, even if it is permanently added to the host, it can be quite solidly stated that it is not dns that is to blame.
You have a mess in the system, it would be best to start clean from the beginning.
Are you even able to download index.html?
Chrome connects over IP, it just throws an ssl error… I bypassed pfsense by sharing my phone’s internet and that way it worked right away. Interesting thing here is it now works over my normal network too… (Probably its cached, a flush dns would kill it i assume.)
I would notice a DNS block because in that case it either wont return anything or it resolves to 10.10.10.1 .
So you did what I said from the beginning. As part of the test, pf box had to be eliminated from the equation.
Since your PC gets the site when it doesn’t send network traffic through the pf box, it can be stated that the local machine is not a problem.
Since the site does not load when the traffic passes through the pf box it can be said that the fault lies somewhere in the pf configuration or on the output of wan. invalid fw rule, vlan configuration …
I still think that it may not have much to do with dns. Your pc could not load the page when it had domain and ip entered in the host. What does this tell us? That it is not necessarily the fault of dns. The machine could not load the site even when external dns servers were eliminated from the equation.
In that case, I still think that the most likely reason will be blocking network traffic somewhere in the pf box. Whether according to IP, Domains, geo location, maybe IDS is turned on and responds badly. Maybe you have vpn / tor / proxy set up and they are blocking this domain.
Maybe the bank has your public IP somewhere on the blacklist. On the other hand, you say that one browser was able to load the site only via IP.
Perform flush dns. But this time, place the pc behind the pf box again and set dns on the local machine to 188.8.131.52 and unlock 53 on pf. If it still doesn’t work, see how wget reacts and is able to download index.html
You are unable to load site per domain when pf comes into play…
You are able to load the site per domain when pf is out of the question…
You are able to load the site per IP when pf is in the game but only on one browser…
In general, you have an abstract situation and I have to guess in the dark!