DN-over-TLS - strange result...

[chemlud]

Hello again!

Have unbound configured as DNS-over-TLS resolver, according to these settings

https://forum.opnsense.org/index.php?topic=21153.msg98895#msg98895

All traffic on port 53 is only allowed to opnsense.

On a linux client I have:

Code Select Expand

cat /etc/resolv.conf
# This file was generated by wg-quick(8) for use with
# the WireGuard interface wg0. It cannot be
# removed or altered directly. You may remove this file
# by running `wg-quick down wg0', or if that
# poses problems, run `umount /etc/resolv.conf'.

nameserver 10.10.10.1


where 10.10.10.1 is the opnsense.

OK, if I try to resolve openwall.com I get on this machine

Code Select Expand

ping openwall.com
ping: socket: Address family not supported by protocol
PING openwall.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.047 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.048 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.045 ms
^C
--- openwall.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.041/0.045/0.048/0.002 ms


Who resolves openwall.com as localhost in this setup?!?!?

Same on other networks of the opnsense. A pfsense (2.5.1) using the same DNS-over-TLS servers resolves openwall.com correctly (I can copy the IP to the browser and get the correct page).

I'm a little confused...

[chemlud]

Found it!

Believe it or not, openwall.com is on one of these DNS block lists activated (see attached), after disabling the DNS block lists, it resolves just fine...

Unbelievable.