DNS records not found; pages won’t load

[axel2078]

Hello, everyone.  I am a brand new user of OPNsense.  I had been using IPfire as my main firewall for years and it served me well, but a couple of versions ago, I started having intermittent web connectivity problems.  Specifically, some websites would just time out in every browser on every computer on my network, but I could successfully ping them and wget worked on them too.  If I bypassed the firewall with my VPN client or connected straight to the cable modem, I didn't have any issues.  I got frustrated with having to use my VPN to get to some websites, so I looked into OPNsense and I liked what I saw.

I just installed OPNsense yesterday and afterwards, everything seemed to work.  I could get to all websites just fine, including the ones at the college I teach at.  I was overjoyed.  I attempted to log in a short while ago and noticed that when I go to my school's websites, I get an error that basically says the server at the address can't be found.  If I try running a nslookup against worldclassroom.webster.edu, I either get a timeout, or I get a message saying no record could be found for it.  See below:

MacBook-Air-6:scripts kevin$ nslookup worldclassroom.webster.edu
;; connection timed out; no servers could be reached

MacBook-Air-6:scripts kevin$ nslookup worldclassroom.webster.edu
Server:      192.168.15.1
Address:   192.168.15.1#53

** server can't find worldclassroom.webster.edu: SERVFAIL

I am currently using 9.9.9.9 as the primary DNS server and 8.8.8.8 as the secondary....just as I was last night when it was working.  If I turn on my VPN client, the nslookup returns records (see below) and the page loads just fine.

acBook-Air-6:scripts kevin$ nslookup worldclassroom.webster.edu
Server:      103.86.99.99
Address:   103.86.99.99#53

Non-authoritative answer:
worldclassroom.webster.edu   canonical name = webster-vanity.instructure.com.
webster-vanity.instructure.com   canonical name = canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
Name:   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 3.222.218.57
Name:   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.236.11.156
Name:   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.197.146.108

The other URL that no longer loads for me in a browser is http://apps.webster.edu/compcen/datadict/webcrs/onlform2.php3


This is becoming really frustrating.  Why is this happening?

[axel2078]

Edit: I noticed that if I specify that DNS server within the nslookup query, it works and returns results.  So why isn't OPNsense able to do this?

macbook:~ kevin$ nslookup
> server 9.9.9.9
Default server: 9.9.9.9
Address: 9.9.9.9#53
> worldclassroom.webster.edu
Server:      9.9.9.9
Address:   9.9.9.9#53

Non-authoritative answer:
worldclassroom.webster.edu   canonical name = webster-vanity.instructure.com.
webster-vanity.instructure.com   canonical name = canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
Name:   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 3.222.218.57
Name:   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.236.11.156
Name:   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com
Address: 34.197.146.10

[FlangeMonkey]

it sounds like the client isn't using the DNS Server your wanting.

Where are you defining the DNS Servers 8.8.8.8 and 9.9.9.9?  If you check the DHCP settings, you'll see the DNS servers field, if this is empty, it will with use the interface IP if a DNS service is enabled, otherwise the global DNS settings.  So you may have a DNS server running.

Check the host to verify its DNS server.  If I recall correctly, its "cat /etc/resolv.conf" on Mac.

Thanks,

[axel2078]

it sounds like the client isn't using the DNS Server your wanting.

Where are you defining the DNS Servers 8.8.8.8 and 9.9.9.9?  If you check the DHCP settings, you'll see the DNS servers field, if this is empty, it will with use the interface IP if a DNS service is enabled, otherwise the global DNS settings.  So you may have a DNS server running.

Check the host to verify its DNS server.  If I recall correctly, its "cat /etc/resolv.conf" on Mac.

Thanks,

Thanks for getting back to me.  I have this set in the DNS servers section within System > Settings > General.  The first server in my list is 9.9.9.9 and the second server in the list is 8.8.8.8.  Under my DHCPv4  LAN settings, the DNS IP I set there is the IP for the LAN interface itself.  My MacBook and iMac both show the DNS server being used is the LAN IP address.  It's weird....nearly every website loads just fine, but I get timeouts for "can't find record" for worldclassroom.webster.edu.  If I try to ping it, I get a message back saying  that the server couldn't be found.  However, if I manually change the DNS IP on my client machine to 9.9.9.9 or 8.8.8.8 and try to ping it, it responds.  However, it still won't load in a browser.

[axel2078]

As a test, I configured a bind DNS resolver on one of my raspberry Pi's and it's configured to forward to 9.9.9.9 and 8.8.8.8.  I pointed one of my clients to that for DNS and what I found was that I could successfully get to https://worldclassroom.webster.edu, but there were several webster.edu websites that just time out in  the browser.  When I do nslookups for these domains, I get a result back for each one.

http://www.webster.edu/academics/academic-calendar/
http://library.webster.edu/databases/index.html
http://www.webster.edu/campus-life/student-services/
http://apps.webster.edu/compcen/datadict/webcrs/onlform2.php3

The above websites load just fine from my phone using my data carrier (not wifi) or on my computer if I launch my VPN client.  I don't understand why this is happening.  The last time I reinstalled IPfire, everything worked great for a week before I started getting timeouts again.  When I installed OPNsense yesterday, everything worked perfectly and I had no issues.  Then this morning, the problem came back.  I don't know what's causing this, but I'd be very grateful if someone can help me figure it out.

[FlangeMonkey]

The Global DNS settings are for the firewall itself unless you don't have a DNS server enabled, then those servers are pushed via DHCP to the client.  I am sure you get that but just wanted to clarify.

What DNS Server are you using on opnsense?  I don't recall the default, its ether Unbound DNS or Dnsmasq DNS.  I'd suggest checking out the settings.

[axel2078]

I am using Unbound DNS.  I noticed that I was unable to ping worldclassroom.webster.edu, so I figured I'd try out DNSmasq instead.  With that enabled, I was able to ping worldclassroom.webster.edu, but it would not load in a browser.  Since that wasn't working either, I switched it back to Unbound DNS.  As a test last night, I disabled Unbound DNS completely. On a Mac, you have to option to override the DNS server that is pushed to you via DHCP, so I manually set the DNS to point to my raspberry pi.  However, the situation was pretty much the same.  I can get to almost every website out there except for the webster websites mentioned above.  Those still time out in a browser.  This is now the second firewall appliance where I've run into this issue.  I don't understand why this is happening and why it worked initially, but then stopped working.

[FlangeMonkey]

If DNS is resolving you might be looking in the wrong place.  You might also be hitting locally cached DNS records, so under testing, you might want to clear it. Below is my dig of worldclassroom.webster.edu.  Additionally, some ISP's block root DNS server, so you might need to forward.

You're not using firefox are you with DNS over HTTPS?

Code: [Select]

dig worldclassroom.webster.edu

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> worldclassroom.webster.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30238
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;worldclassroom.webster.edu.    IN      A

;; ANSWER SECTION:
worldclassroom.webster.edu. 17268 IN    CNAME   webster-vanity.instructure.com.
webster-vanity.instructure.com. 141 IN  CNAME   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.197.146.108
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.236.11.156
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 3.222.218.57

;; Query time: 0 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Mon Sep 23 15:31:45 BST 2019
;; MSG SIZE  rcvd: 218



[axel2078]

Thank you for your help on this.  No, I'm not using Firefox.  I normally use Safari and if that fails, I use Chrome.  This is driving me nuts.  What's odd is that when my clients were pointing to Opensense as the DNS server (and OpenSense was pointed to 9.9.9.9), when I did nslookups for worldclassroom.webster.edu, they either timed out, or I got a SERVFAIL, but if I changed the nameserver to 9.9.9.9 via nslookup and then ran the same query, I got a response back with the record.

What's really odd here is that while this was going on, if I did nslookups on practically any other website while pointed to OPNsense for DNS, I got responses back with the host record. So, while pointing to OPNsense for DNS,  I was seeing behavior like this:

nslookup google.com  replies/works
nslookup yahoo.com replies/works
nslookup cnn.com replies/works
nslookup worldclassroom.webster.edu  No servers could be reached OR SERVFAIL; no record found
nslookup foxnews.com replies/works
nslookup gmail.com replies/works
nslookup worldclassroom.webster.edu  No servers could be reached OR SERVFAIL; no record found

[axel2078]

Anyone have any idea what's going on here?  I just ran a test where I disconnected my ESXi chassis's WAN interface from the cable modem and I connected my laptop directly to the cable modem. I  was able to get to all websites without issue.  I just wanted to verify that it wasn't a problem with my ISP, and I see now that it's not.  The problem is with OPNsense.  Can anyone explain to me why most websites load just fine for me, but a select few time out in the browser when I know that they're up?

[axel2078]

So am I the only OPNsense user that has had this problem??

[bunchofreeds]

Something to understand.
Are you using split DNS?

What is your internal domain name? is it webster.edu? Is this the local domain used by OPNsense?
Do you need to set an Unbound Domain Override for webster.edu to point to the DNS server that handles that domain?

Just a thought.

Also are you able to remove other devices from your network to ensure they are not interfering with your DNS or port 53. Understanding that your possibly have students in your environment?
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/

[packet loss]

I had been using IPfire as my main firewall for years and it served me well, but a couple of versions ago, I started having intermittent web connectivity problems.  Specifically, some websites would just time out in every browser on every computer on my network, but I could successfully ping them and wget worked on them too.

You are either doing something wrong or have a hardware issue both with IPfire and OPNsense. You need to reset your configuration to default settings in OPNsense and start over. Don't add custom DNS servers, GEO blocking or whatever else you have already done with your firewall all at once. Setup a basic configuration where you can achieve a stable connection to the internet without issues. Then slowly customize your configuration one step at a time until you find the where the issue starts.

I did a google search for the edu website and the custom 9.9.9.9 DNS server you are using and found your IPfire forums post.

https://forum.ipfire.org/viewtopic.php?t=23264

Again, this is likely a configuration issue or hardware issue. I see no point in anyone adding any further input until you start over from scratch with your configuration.

[axel2078]

Something to understand.
Are you using split DNS?

What is your internal domain name? is it webster.edu? Is this the local domain used by OPNsense?
Do you need to set an Unbound Domain Override for webster.edu to point to the DNS server that handles that domain?

Just a thought.

Also are you able to remove other devices from your network to ensure they are not interfering with your DNS or port 53. Understanding that your possibly have students in your environment?
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/

Hello.  Thank you for your input.  No, I'm not using split DNS.  This network is actually in my home, not on a university campus.  I'm trying to log in to the university because I teach online, but I can't get the websites to load within a browser.  No other devices sit between the firewall and my cable modem, so I'm not sure what else I could remove that might be in the way.

[axel2078]

I had been using IPfire as my main firewall for years and it served me well, but a couple of versions ago, I started having intermittent web connectivity problems.  Specifically, some websites would just time out in every browser on every computer on my network, but I could successfully ping them and wget worked on them too.

You are either doing something wrong or have a hardware issue both with IPfire and OPNsense. You need to reset your configuration to default settings in OPNsense and start over. Don't add custom DNS servers, GEO blocking or whatever else you have already done with your firewall all at once. Setup a basic configuration where you can achieve a stable connection to the internet without issues. Then slowly customize your configuration one step at a time until you find the where the issue starts.

I did a google search for the edu website and the custom 9.9.9.9 DNS server you are using and found your IPfire forums post.

https://forum.ipfire.org/viewtopic.php?t=23264

Again, this is likely a configuration issue or hardware issue. I see no point in anyone adding any further input until you start over from scratch with your configuration.

Holy accusations, batman!  Before you accuse me of not knowing what I"m doing, maybe I should provide more info.  My IPfire system was rock solid for years (from 2013 till 2019) until I updated it to Core 134.  That's when the problems started.  Even after reverting the snapshot to a previous version, the outcome was the same.  I then upgraded to Core 135 hoping it would solve the problem, but it didn't.  So, I reinstalled the whole thing over again using the Core 135 build and did not make any changes to it.  It worked for about a week and then the problem came back.  There are at least a few other IPfire users running into the same issue, although with different websites.

I just re-installed OPNsense from scratch AGAIN over the weekend and did not do anything special after the install.  I pointed it to 9.9.9.9 for DNS resolution and used the LAN IP as the gateway for my internal hosts....just as I have done successfully for years.  From the very start immediately after the rebuild, I could not get those webster.edu domains to load in a browser from any computer, but other websites seemed to load fine.  Doing nslookups against those domains either resulted in time outs or errors returning records, but if I ran nslookup by specifying the DNS server first, it was successful every time.  If I am doing something wrong, please enlighten me.  This was a fresh vanilla install with no extra features enabled.  Please explain why nearly any website loads just fine except for the ones at webster.edu and nslookup doesn't seem to work reliably when using OPNsense as the resolver (pointed to 9.9.9.9), but if I specifically point to an external resolver in nslookup (9.9.9.9), it works fine.  If I was having a hardware issue, I could understand if everything broke, or if I couldn't get Internet access working anymore, but it doesn't make sense that I can load up about 95% of the websites I've tried, but a few of them just won't work unless I use a VPN or bypass the firewall.