Some websites unreachable - dns problem?

Started by srko777, December 23, 2023, 08:49:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 23, 2023, 08:49:43 PM
Hi all!
I'm quite new in opnsense, I'm using it now for few weeks and it turned out great till I started using zenarmor service with it. From time to time some websites (I really can't detech on what key) become unreachable - the sites which are blocked are like github.com, commercial bank, news site...which are safe and secure.

I noticed I can't get this temporarly fixed by restarting zenarmor engine on opnsense router.
But what could be the real culprit of this?

I would really appreciate any help with this or some guidance what to check and how to debugg...
Thanks and kind regards,
Andre

Code Select
Zenarmor free subscription
Name OPNsense.localdomain
Versions OPNsense 23.7.10_1-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
December 23, 2023, 09:52:28 PM #1
What happens if you stop zenarmor, does dns resolution retrurn? WHich DNS servers are you using, are they on your LAN and/or on the internet?
Regards


Bill
December 24, 2023, 11:14:51 AM #2 Last Edit: December 25, 2023, 08:15:37 PM by almodovaris
Yup, I also have the Github problem, but IMHO it is the fault of my internet provider (Ziggo) who does not want to pay for good connectivity (getting routed through some internet exchanges costs a lot of money). Otherwise I would see no reason why Zenarmor drops a couple of websites about half the time. I believe that because getting a VPN connection to the Netherlands or to Sweden (i.e. outside the purview of Zenarmor) also drops Github sometimes, but a VPN connection to Norway doesn't. So I guess it is due to the internet exchange they're using. The Jottacloud app doesn't work through the VPN to the Netherlands or Sweden, but works okay through the VPN to Norway. That's another argument that they're using another internet exchange.

In doubt use the program MTR or WinMTR having Zenarmor wholly disabled (meaning Zenarmor engine stopped). Some years ago I saw a lot of traffic dropping at aorta.net . aorta.net is Liberty Global's own exchange (Liberty Global owns Ziggo), but for AMS-IX they would have to pay. AMS-IX is world class service, aorta.net is dubious. It sucks, but shareholders are greedy, and Ziggo managers are yesmen. Ziggo technical support staff know this, but they lack the power to make the required business deals. They do their best to serve their clients, but only within the parameters dictated by the management. A commercial corporation is not a democracy. Its purpose is not offering the best service ever, but simply making money. Offering reasonable internet connectivity to a tiny share of their clients would cost too much money. Most Ziggo clients don't care about Github. And the few who do could simply patch that through using VPN. So, there is no monetary incentive for properly serving all their clients. Otherwise, I'm a happy Ziggo customer and I'm not taking the gamble of changing my internet provider. I know that Ziggo works perfectly in 99% of the cases, and I'm not taking the risk of having another provider, having its own other imperfections.

And yes: about obeying the whitelist, it makes a difference whether you apply changes from the firewall IP or from dash.zenarmor.com . In doubt, only use the firewall IP for controlling Zenarmor.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
January 07, 2024, 05:59:39 PM #3 Last Edit: January 07, 2024, 06:27:20 PM by almodovaris
And now I think I know what it is: Zenarmor works fine, but somehow it cripples some DNS calls (not always: only when you change policy options through dash.zenarmor.com ). Both using Unbound and Dnsmasq. Use DoH or DoT on the end client, and the problem is solved. If you can't, use some public IPs of DNS servers, but not the IP of your router.

And it's not wholly improbable that it's both of the above (meaning this message and my previous message).
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
January 09, 2024, 02:59:11 PM #4
And, to be clear, there are a January 4 and a January 5 version of Zenarmor 1.16.1.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
January 13, 2024, 12:26:56 PM #5
i am getting same issue on github
using public dns is not a proper way of solving it as then I cant use AdGuard Home and Unbound which I need.
I will test this theory of ISP issue this weekend by plugging my ISP router in and going via that for 1 day and see if I get issues. I am in UK and my ISP is pretty good so I doubt its my ISP issue
January 14, 2024, 08:23:08 AM #6
Hi,

Can you share a report to look into the logs and configuration of Zenarmor via Have Feedback on the GUI?
January 17, 2024, 11:34:23 PM #7 Last Edit: January 18, 2024, 02:20:32 AM by almodovaris
And if nothing else helps, erase the Zenarmor database (full erase, meaning all data).

Hint: you have to do it through the OPNsense menu.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
July 20, 2024, 09:19:38 PM #8
In the end, I think this is an OPNsense-only problem. I have Zenarmor running of Debian 12, and it does not have such issue.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
Print
Go Up Pages1
User actions