OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: axel2078 on September 22, 2019, 11:55:54 pm
-
Hello, everyone. I am a brand new user of OPNsense. I had been using IPfire as my main firewall for years and it served me well, but a couple of versions ago, I started having intermittent web connectivity problems. Specifically, some websites would just time out in every browser on every computer on my network, but I could successfully ping them and wget worked on them too. If I bypassed the firewall with my VPN client or connected straight to the cable modem, I didn't have any issues. I got frustrated with having to use my VPN to get to some websites, so I looked into OPNsense and I liked what I saw.
I just installed OPNsense yesterday and afterwards, everything seemed to work. I could get to all websites just fine, including the ones at the college I teach at. I was overjoyed. I attempted to log in a short while ago and noticed that when I go to my school's websites, I get an error that basically says the server at the address can't be found. If I try running a nslookup against worldclassroom.webster.edu, I either get a timeout, or I get a message saying no record could be found for it. See below:
MacBook-Air-6:scripts kevin$ nslookup worldclassroom.webster.edu
;; connection timed out; no servers could be reached
MacBook-Air-6:scripts kevin$ nslookup worldclassroom.webster.edu
Server: 192.168.15.1
Address: 192.168.15.1#53
** server can't find worldclassroom.webster.edu: SERVFAIL
I am currently using 9.9.9.9 as the primary DNS server and 8.8.8.8 as the secondary....just as I was last night when it was working. If I turn on my VPN client, the nslookup returns records (see below) and the page loads just fine.
acBook-Air-6:scripts kevin$ nslookup worldclassroom.webster.edu
Server: 103.86.99.99
Address: 103.86.99.99#53
Non-authoritative answer:
worldclassroom.webster.edu canonical name = webster-vanity.instructure.com.
webster-vanity.instructure.com canonical name = canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
Name: canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 3.222.218.57
Name: canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.236.11.156
Name: canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.197.146.108
The other URL that no longer loads for me in a browser is http://apps.webster.edu/compcen/datadict/webcrs/onlform2.php3
This is becoming really frustrating. Why is this happening?
-
Edit: I noticed that if I specify that DNS server within the nslookup query, it works and returns results. So why isn't OPNsense able to do this?
macbook:~ kevin$ nslookup
> server 9.9.9.9
Default server: 9.9.9.9
Address: 9.9.9.9#53
> worldclassroom.webster.edu
Server: 9.9.9.9
Address: 9.9.9.9#53
Non-authoritative answer:
worldclassroom.webster.edu canonical name = webster-vanity.instructure.com.
webster-vanity.instructure.com canonical name = canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
Name: canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 3.222.218.57
Name: canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.236.11.156
Name: canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.197.146.10
-
it sounds like the client isn't using the DNS Server your wanting.
Where are you defining the DNS Servers 8.8.8.8 and 9.9.9.9? If you check the DHCP settings, you'll see the DNS servers field, if this is empty, it will with use the interface IP if a DNS service is enabled, otherwise the global DNS settings. So you may have a DNS server running.
Check the host to verify its DNS server. If I recall correctly, its "cat /etc/resolv.conf" on Mac.
Thanks,
-
it sounds like the client isn't using the DNS Server your wanting.
Where are you defining the DNS Servers 8.8.8.8 and 9.9.9.9? If you check the DHCP settings, you'll see the DNS servers field, if this is empty, it will with use the interface IP if a DNS service is enabled, otherwise the global DNS settings. So you may have a DNS server running.
Check the host to verify its DNS server. If I recall correctly, its "cat /etc/resolv.conf" on Mac.
Thanks,
Thanks for getting back to me. I have this set in the DNS servers section within System > Settings > General. The first server in my list is 9.9.9.9 and the second server in the list is 8.8.8.8. Under my DHCPv4 LAN settings, the DNS IP I set there is the IP for the LAN interface itself. My MacBook and iMac both show the DNS server being used is the LAN IP address. It's weird....nearly every website loads just fine, but I get timeouts for "can't find record" for worldclassroom.webster.edu. If I try to ping it, I get a message back saying that the server couldn't be found. However, if I manually change the DNS IP on my client machine to 9.9.9.9 or 8.8.8.8 and try to ping it, it responds. However, it still won't load in a browser.
-
As a test, I configured a bind DNS resolver on one of my raspberry Pi's and it's configured to forward to 9.9.9.9 and 8.8.8.8. I pointed one of my clients to that for DNS and what I found was that I could successfully get to https://worldclassroom.webster.edu, but there were several webster.edu websites that just time out in the browser. When I do nslookups for these domains, I get a result back for each one.
http://www.webster.edu/academics/academic-calendar/
http://library.webster.edu/databases/index.html
http://www.webster.edu/campus-life/student-services/
http://apps.webster.edu/compcen/datadict/webcrs/onlform2.php3
The above websites load just fine from my phone using my data carrier (not wifi) or on my computer if I launch my VPN client. I don't understand why this is happening. The last time I reinstalled IPfire, everything worked great for a week before I started getting timeouts again. When I installed OPNsense yesterday, everything worked perfectly and I had no issues. Then this morning, the problem came back. I don't know what's causing this, but I'd be very grateful if someone can help me figure it out.
-
The Global DNS settings are for the firewall itself unless you don't have a DNS server enabled, then those servers are pushed via DHCP to the client. I am sure you get that but just wanted to clarify.
What DNS Server are you using on opnsense? I don't recall the default, its ether Unbound DNS or Dnsmasq DNS. I'd suggest checking out the settings.
-
I am using Unbound DNS. I noticed that I was unable to ping worldclassroom.webster.edu, so I figured I'd try out DNSmasq instead. With that enabled, I was able to ping worldclassroom.webster.edu, but it would not load in a browser. Since that wasn't working either, I switched it back to Unbound DNS. As a test last night, I disabled Unbound DNS completely. On a Mac, you have to option to override the DNS server that is pushed to you via DHCP, so I manually set the DNS to point to my raspberry pi. However, the situation was pretty much the same. I can get to almost every website out there except for the webster websites mentioned above. Those still time out in a browser. This is now the second firewall appliance where I've run into this issue. I don't understand why this is happening and why it worked initially, but then stopped working.
-
If DNS is resolving you might be looking in the wrong place. You might also be hitting locally cached DNS records, so under testing, you might want to clear it. Below is my dig of worldclassroom.webster.edu. Additionally, some ISP's block root DNS server, so you might need to forward.
You're not using firefox are you with DNS over HTTPS?
dig worldclassroom.webster.edu
; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> worldclassroom.webster.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30238
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;worldclassroom.webster.edu. IN A
;; ANSWER SECTION:
worldclassroom.webster.edu. 17268 IN CNAME webster-vanity.instructure.com.
webster-vanity.instructure.com. 141 IN CNAME canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.197.146.108
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.236.11.156
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 3.222.218.57
;; Query time: 0 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Mon Sep 23 15:31:45 BST 2019
;; MSG SIZE rcvd: 218
-
Thank you for your help on this. No, I'm not using Firefox. I normally use Safari and if that fails, I use Chrome. This is driving me nuts. What's odd is that when my clients were pointing to Opensense as the DNS server (and OpenSense was pointed to 9.9.9.9), when I did nslookups for worldclassroom.webster.edu, they either timed out, or I got a SERVFAIL, but if I changed the nameserver to 9.9.9.9 via nslookup and then ran the same query, I got a response back with the record.
What's really odd here is that while this was going on, if I did nslookups on practically any other website while pointed to OPNsense for DNS, I got responses back with the host record. So, while pointing to OPNsense for DNS, I was seeing behavior like this:
nslookup google.com replies/works
nslookup yahoo.com replies/works
nslookup cnn.com replies/works
nslookup worldclassroom.webster.edu No servers could be reached OR SERVFAIL; no record found
nslookup foxnews.com replies/works
nslookup gmail.com replies/works
nslookup worldclassroom.webster.edu No servers could be reached OR SERVFAIL; no record found
-
Anyone have any idea what's going on here? I just ran a test where I disconnected my ESXi chassis's WAN interface from the cable modem and I connected my laptop directly to the cable modem. I was able to get to all websites without issue. I just wanted to verify that it wasn't a problem with my ISP, and I see now that it's not. The problem is with OPNsense. Can anyone explain to me why most websites load just fine for me, but a select few time out in the browser when I know that they're up?
-
So am I the only OPNsense user that has had this problem??
-
Something to understand.
Are you using split DNS?
What is your internal domain name? is it webster.edu? Is this the local domain used by OPNsense?
Do you need to set an Unbound Domain Override for webster.edu to point to the DNS server that handles that domain?
Just a thought.
Also are you able to remove other devices from your network to ensure they are not interfering with your DNS or port 53. Understanding that your possibly have students in your environment?
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
-
I had been using IPfire as my main firewall for years and it served me well, but a couple of versions ago, I started having intermittent web connectivity problems. Specifically, some websites would just time out in every browser on every computer on my network, but I could successfully ping them and wget worked on them too.
You are either doing something wrong or have a hardware issue both with IPfire and OPNsense. You need to reset your configuration to default settings in OPNsense and start over. Don't add custom DNS servers, GEO blocking or whatever else you have already done with your firewall all at once. Setup a basic configuration where you can achieve a stable connection to the internet without issues. Then slowly customize your configuration one step at a time until you find the where the issue starts.
I did a google search for the edu website and the custom 9.9.9.9 DNS server you are using and found your IPfire forums post.
https://forum.ipfire.org/viewtopic.php?t=23264
Again, this is likely a configuration issue or hardware issue. I see no point in anyone adding any further input until you start over from scratch with your configuration.
-
Something to understand.
Are you using split DNS?
What is your internal domain name? is it webster.edu? Is this the local domain used by OPNsense?
Do you need to set an Unbound Domain Override for webster.edu to point to the DNS server that handles that domain?
Just a thought.
Also are you able to remove other devices from your network to ensure they are not interfering with your DNS or port 53. Understanding that your possibly have students in your environment?
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
Hello. Thank you for your input. No, I'm not using split DNS. This network is actually in my home, not on a university campus. I'm trying to log in to the university because I teach online, but I can't get the websites to load within a browser. No other devices sit between the firewall and my cable modem, so I'm not sure what else I could remove that might be in the way.
-
I had been using IPfire as my main firewall for years and it served me well, but a couple of versions ago, I started having intermittent web connectivity problems. Specifically, some websites would just time out in every browser on every computer on my network, but I could successfully ping them and wget worked on them too.
You are either doing something wrong or have a hardware issue both with IPfire and OPNsense. You need to reset your configuration to default settings in OPNsense and start over. Don't add custom DNS servers, GEO blocking or whatever else you have already done with your firewall all at once. Setup a basic configuration where you can achieve a stable connection to the internet without issues. Then slowly customize your configuration one step at a time until you find the where the issue starts.
I did a google search for the edu website and the custom 9.9.9.9 DNS server you are using and found your IPfire forums post.
https://forum.ipfire.org/viewtopic.php?t=23264
Again, this is likely a configuration issue or hardware issue. I see no point in anyone adding any further input until you start over from scratch with your configuration.
Holy accusations, batman! Before you accuse me of not knowing what I"m doing, maybe I should provide more info. My IPfire system was rock solid for years (from 2013 till 2019) until I updated it to Core 134. That's when the problems started. Even after reverting the snapshot to a previous version, the outcome was the same. I then upgraded to Core 135 hoping it would solve the problem, but it didn't. So, I reinstalled the whole thing over again using the Core 135 build and did not make any changes to it. It worked for about a week and then the problem came back. There are at least a few other IPfire users running into the same issue, although with different websites.
I just re-installed OPNsense from scratch AGAIN over the weekend and did not do anything special after the install. I pointed it to 9.9.9.9 for DNS resolution and used the LAN IP as the gateway for my internal hosts....just as I have done successfully for years. From the very start immediately after the rebuild, I could not get those webster.edu domains to load in a browser from any computer, but other websites seemed to load fine. Doing nslookups against those domains either resulted in time outs or errors returning records, but if I ran nslookup by specifying the DNS server first, it was successful every time. If I am doing something wrong, please enlighten me. This was a fresh vanilla install with no extra features enabled. Please explain why nearly any website loads just fine except for the ones at webster.edu and nslookup doesn't seem to work reliably when using OPNsense as the resolver (pointed to 9.9.9.9), but if I specifically point to an external resolver in nslookup (9.9.9.9), it works fine. If I was having a hardware issue, I could understand if everything broke, or if I couldn't get Internet access working anymore, but it doesn't make sense that I can load up about 95% of the websites I've tried, but a few of them just won't work unless I use a VPN or bypass the firewall.
-
Update: I just tried accessing the same problematic *webster.edu sites that I've been having problems with for days now (even since I rebuilt OPNsense) and they all work now. I have no idea why. I haven't touched the system in days, nor have I had the time. It doesn't make sense to me that those sites that wouldn't work before are loading just fine now when I haven't made any changes. This is pretty frustrating.
-
I typically use unbound for DNS purposes. So I tested 9.9.9.9 for my DNS in OPNsense. I was able to get the edu website you were having problems with to resolve using nslookup. I noticed something interesting though. When I reverted my settings in OPNsense back to using unbound for DNS purposes (10.200.200.1 in my case) my laptop continued to 9.9.9.9 as the DNS server. I had to release and then renew using ipconfig under Windows at which point unbound was serving 10.200.2001.
Why did you change your DNS settings to use 9.9.9.9 in OPNsense after you did a fresh install? You were having DNS issues and that was probably the one thing you shouldn't have touched prior to thorough testing. It's unlikely you will be able to isolate the exact cause of the issue you were having after making changes to OPNsense that you shouldn't have made in the first place.
-
I typically use unbound for DNS purposes. So I tested 9.9.9.9 for my DNS in OPNsense. I was able to get the edu website you were having problems with to resolve using nslookup. I noticed something interesting though. When I reverted my settings in OPNsense back to using unbound for DNS purposes (10.200.200.1 in my case) my laptop continued to 9.9.9.9 as the DNS server. I had to release and then renew using ipconfig under Windows at which point unbound was serving 10.200.2001.
Why did you change your DNS settings to use 9.9.9.9 in OPNsense after you did a fresh install? You were having DNS issues and that was probably the one thing you shouldn't have touched prior to thorough testing. It's unlikely you will be able to isolate the exact cause of the issue you were having after making changes to OPNsense that you shouldn't have made in the first place.
You have a valid point, but I forgot to mention this in my previous post....after the fresh install, I decided to leave the DNS settings alone so it would use my ISP's DNS because I wanted to test that out first. I tried out several of my regular websites and all worked fine. Then, I tried the problematic *webster.edu websites and none of them loaded. I figured that since this isn't working with my ISP's DNS servers, I might as well try a different one, so I tried 9.9.9.9, but of course that didn't work either.
The *webster.edu websites are still loading fine as of tonight. I still don't know why.
-
FWIW, I have the same or at least a similar problem.
ISP is Xfinity/Comcast via cable modem.
Various PCs, both Windows and Linux, same behaviour.
OPNSense on a HP ThinClient, Realtek LAN.
Sites that don't work:
https://informeddelivery.usps.com
https://tools.usps.com
https://my.cigna.com/
(Also others, e.g. some sites of the local community college)
Usually using Unbound in resolve mode. Tried forwarding mode with various DNS servers, and also using Dnsmasq. Also using ISP provided DNS.
No dice, can't access.
If I use a VPN client on a PC I can access the sites with no problem.
I have a few OVPN clients set up on my OPNSense. If I route a PC's traffic through one of those I can access the sites.
(I believe in this setup traffic goes through VPN, but DNS is still locally through Unbound). So that should mean the DNS resolution is not the problem, it's the traffic.
I have a spare router (FreshTomato) as backup, going through that through the same cable-modem I can access these sites just fine.
I have always been able to ping and nslookup these sites. The IP-addresses returned by nslookup are the same in working (with VPN) or non-working 'mode'.
I tried disabling various features (Suricata, Sensei), no help.
I spent way too much time trying to debug this already, I'll probably just make do with using a VPN when needed...
-
FWIW, I have the same or at least a similar problem.
----SNIP----
I spent way too much time trying to debug this already, I'll probably just make do with using a VPN when needed...
My line of thinking was the same as yours. I spent hours trying to troubleshoot it to no avail. Oddly enough, things just started working again. I still have no idea why, but I'm not having any trouble accessing any websites right now. It's been this way for a couple of weeks now.
-
I'm now making it easier for myself by routing the websites in question through a VPN using an alias.
- create an alias under Firewall:Aliases of Type: Hosts and enter the URLs for the websites you want to route differently in the 'Content' field.
- create a Firewall:NAT:Outbound rule with the 'Interface' being your VPN-IF and the 'Destination address' your alias from above
- create a Firewall:Rules:LAN rule with 'Destination' being your alias and the 'Gateway' your VPN-IF
See attached screenshots