Messages

It was Quad9 in the end.

I was editing the resolv.conf to comment out my internal domain name and that would get the website working once more while also not seeming to negatively affect anything else
.
I disabled quad9 dot srv's and added cloud-flares and the issue is gone on cloud-flare.

This is probably still my fault as I had a setting to register dhcp clients in dns and that probably got sent to quad9's dns servers and yadda,yadda, yadda-like I said. Probably my own fault.

My next question is probably going to be in the EndeavourOS forum but does anyone know howto stop the network manager from automatically inserting a search domain into resolv.conf.

This is not normal behavior is it?

I have my desktop using dhcp so the domain name is coming from OPNSense is it not?

I checked my HOST.conf, hostname and resolv.conf and the only place I see the home.arpa domain is in the automatically generated entry in resolv.conf and my PC got that from the dhcp server on OPNSense.

Once again, I am sure this is something I did but I cannot figure out what and am trying to understand how to stop this behavior.

I'll go ask in the Endeavour OS forum to.

Thanks a bunch to everyone!

Hi,

TYVM for responding.
I was so excited that someone responded I forgot my manners.

so when you say "the client's resolver library"
would you be referring to my desktops client resolver?

On Linux what would that be?
I am running EndeavourOS.
or would you be referring to the DoT servers I forward to?
In my case, quad9 unsecured - dot10.quad9.net

"Edit#2: OK it IS the quad9 DoT servers doing this.
Probably because I have something misconfigured on my end.

I am unsure howto approach troubleshooting this.
Any ideas, hints, tips URL's anyone could provide?"

Edit#3: so, when I looked at my "automatically generated" resolv.conf file
 (the one that'll get overwritten if I edit it) it shows home.arpa as the search domain
I commented out the entry:

# Generated by NetworkManager
#search home.arpa

and left only the nameserver x.x.x.x entry, saved it and then -re-enabeld the DoT servers, then the help.teksavyy.com webpage opens just fine with the DoT servers at quad9 enabled




Tyvm once more for your response.

Hi,

I have only found 1 URL that does this.

my ISP's help webpage.

with unbound running, all block lists cleared and disabled, no register anything in DNS forwarders or not, no static arp entries or anything like that
(I use quad9 unsecured DoT - IE - no blocking whatsoever)

I opened Firefox and Librewolf

Firefox is VPN only
Librewolf is bypass VPN

with the VPN connected Firefox loads help.teksavvy.com with zero issues
Librewolf is saying "We can't connect to the server at help.teksavvy.com"
I disconnect for the VPN and Firefox starts to give "We can't connect to the server at help.teksavvy.com"
I connect to my cell phones hot spot and both browsers load it up right away.

This is very odd to me so I captured some tcpdump on port 53 and 853



Resolved

Hi,

I recently installed OPNSense (again) and I Really like the interface more than PFSense.
I took about a year to really know the Pf-sense Gui but OPNSense is so intuitive I just find things MUCH easier.

That being said, I cannot find the page that allows my to add and exception IP to the block-list.
I want my wife's Work laptop to bypass the DNS block-list.

IS this possible in OPNsense or should I go back to PFSense to get this functionality?

Don't get me wrong here please, I don't want to do that-it's way more work than I detected and, OPNSense just looks so much prettier
and, like I already said, I seem to find my way around the Gui easier than on PFSense.

Thanks everyone!

I've been running the "software-that-OpnSense-came-from-that-cannot-be-named-less-it-notice-us-and-be-summoned" for about 10 (?) years now on old PC's.

I came here to update myself on the state of OPNSense. I tried it when it was first released but Suricata was not working very well at all. I would like to try OPNSense but not at the expense of productivity for my work from home wife.

I started with an Old Dell XPS 630i Core2 DUO 4GB ram (non-AES capable) - retired -R.I.P - blown daughter board after 12 years of service as 1st my desktop, (free +$29.00 = ADATA 120 SSD  from this point as I would dispose of it or do the following) then to firewall, then to Linux Web Server.

Currently running Old Dell Inspiron i3 6GB Ram (non-AES capable) my father-in-law hand me down (free +$49.00 = Kingston 120 SSD)

Am planning on swapping out to an OLD Dell XPS 8700 Studio 16GB RAM (AES capable) as soon as I find the time (been waiting for 1yr now) (free +$49.00 = Kingston 120 SSD)  (another family member hand me down)

I guess what I am saying is it might be cheaper if you want to transfer an image of your existing firewall to a cheap'ish SSD and use an old PC.

I only pay for 150/15 Mbps so I am good. 20 odd devices in the house with 7 of them being desktops/laptops that are regularity used, the rest are a mix of WIFI routers (x2) and cell phones, hand held gaming consoles, Xbox etc....

No one ever complains about speed in my house unless the ISP is having issues or unless a piece of hardware has blown out - usually the crappy cable modems - is there such a thing as a non-crappy cable modem - you know, one that will last longer than 3 or 4 years?

Anyways, I realize there are many reason to NOT use an old PC but if you're not affected by any of those, I have found it to be pretty cheap while still getting a "corporate-like firewall.

With ALL the above systems I have never seen the "software-that-OpnSense-came-from-that-cannot-be-named-less-it-notice-us-and-be-summoned" use more than 40% RAM at it's busiest and normally runs at %20 or less. CPU has never gone over 5 or 6% that I've noticed.

Cheers.