DNS records not found; pages won’t load

[axel2078]

Update:  I just tried accessing the same problematic *webster.edu sites that I've been having problems with for days now (even since I rebuilt OPNsense) and they all work now.  I have no idea why.  I haven't touched the system in days, nor have I had the time.  It doesn't make sense to me that those sites that wouldn't work before are loading just fine now when I haven't made any changes. This is pretty frustrating.

[packet loss]

I typically use unbound for DNS purposes. So I tested 9.9.9.9 for my DNS in OPNsense. I was able to get the edu website you were having problems with to resolve using nslookup. I noticed something interesting though. When I reverted my settings in OPNsense back to using unbound for DNS purposes (10.200.200.1 in my case) my laptop continued to 9.9.9.9 as the DNS server. I had to release and then renew using ipconfig under Windows at which point unbound was serving 10.200.2001.

Why did you change your DNS settings to use 9.9.9.9 in OPNsense after you did a fresh install? You were having DNS issues and that was probably the one thing you shouldn't have touched prior to thorough testing. It's unlikely you will be able to isolate the exact cause of the issue you were having after making changes to OPNsense that you shouldn't have made in the first place.

[axel2078]

I typically use unbound for DNS purposes. So I tested 9.9.9.9 for my DNS in OPNsense. I was able to get the edu website you were having problems with to resolve using nslookup. I noticed something interesting though. When I reverted my settings in OPNsense back to using unbound for DNS purposes (10.200.200.1 in my case) my laptop continued to 9.9.9.9 as the DNS server. I had to release and then renew using ipconfig under Windows at which point unbound was serving 10.200.2001.

Why did you change your DNS settings to use 9.9.9.9 in OPNsense after you did a fresh install? You were having DNS issues and that was probably the one thing you shouldn't have touched prior to thorough testing. It's unlikely you will be able to isolate the exact cause of the issue you were having after making changes to OPNsense that you shouldn't have made in the first place.

You have a valid point, but I forgot to mention this in my previous post....after the fresh install, I decided to leave the DNS settings alone so it would use my ISP's DNS because I wanted to test that out first.  I tried out several of my regular websites and all worked fine.  Then, I tried the problematic *webster.edu websites and none of them loaded.  I figured that since this isn't working with my ISP's DNS servers, I might as well try a different one, so I tried 9.9.9.9, but of course that didn't work either.

The *webster.edu websites are still loading fine as of tonight.  I still don't know why.

[Bonkerton]

FWIW, I have the same or at least a similar problem.

ISP is Xfinity/Comcast via cable modem.

Various PCs, both Windows and Linux, same behaviour.

OPNSense on a HP ThinClient, Realtek LAN.

Sites that don't work:
https://informeddelivery.usps.com
https://tools.usps.com
https://my.cigna.com/
(Also others, e.g. some sites of the local community college)

Usually using Unbound in resolve mode. Tried forwarding mode with various DNS servers, and also using Dnsmasq. Also using ISP provided DNS.
No dice, can't access.

If I use a VPN client on a PC I can access the sites with no problem.

I have a few OVPN clients set up on my OPNSense. If I route a PC's traffic through one of those I can access the sites.
(I believe in this setup traffic goes through VPN, but DNS is still locally through Unbound). So that should mean the DNS resolution is not the problem, it's the traffic.

I have a spare router (FreshTomato) as backup, going through that through the same cable-modem I can access these sites just fine.

I have always been able to ping and nslookup these sites. The IP-addresses returned by nslookup are the same in working (with VPN) or non-working 'mode'.

I tried disabling various features (Suricata, Sensei), no help.

I spent way too much time trying to debug this already, I'll probably just make do with using a VPN when needed...

[axel2078]

FWIW, I have the same or at least a similar problem.

----SNIP----

I spent way too much time trying to debug this already, I'll probably just make do with using a VPN when needed...

My line of thinking was the same as yours.  I spent hours trying to troubleshoot it to no avail.  Oddly enough, things just started working again.  I still have no idea why, but I'm not having any trouble accessing any websites right now.  It's been this way for a couple of weeks now.

[Bonkerton]

I'm now making it easier for myself by routing the websites in question through a VPN using an alias.

- create an alias under Firewall:Aliases of Type: Hosts   and enter the URLs for the websites you want to route differently in the 'Content' field.
- create a Firewall:NAT:Outbound rule with the 'Interface' being your VPN-IF and the 'Destination address' your alias from above
- create a Firewall:Rules:LAN rule with 'Destination' being your alias and the 'Gateway' your VPN-IF

See attached screenshots