Banking App: "something has gone wrong"

Started by kartman, May 31, 2024, 02:54:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 31, 2024, 02:54:52 PM
Hello, All...

I'm recently moved over from pfSense and I'm now running the latest OPNsense... I have 2x banking apps on my mobile: one works fine but the other will start to log in and then fail with a silly message that "something has gone wrong"

If I turn off WiFi, the app connects fine via mobile data. If I log into the same institution's site via browser, no issue. To be fair, the switch to OPNsense may just be a bad coincidence but I didn't have this issue before very recently.

Any suggestions as to how I might debug and correct?
May 31, 2024, 05:54:44 PM #1
Hi,

apps are usually very generic in their error messages. This might be a DNS problem, a blocked IP, IPv6 requirements, etc. And as you said: It could also be non-networking related.

I'd check the traffic on OPNsense for unmatched expectations. Which DNS come in? Are there packets blocked when starting the app?

May 31, 2024, 09:24:23 PM #2
Do you use zenarmor or suricata? Maybe there is DPI and your bank uses certificate pinning?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 01, 2024, 03:49:31 PM #3
Hello all,

I have exactly the same issue.
It looks like (I'm not completly sure) this problem is present since my update to OPNsense 24.1.8.

One Banking App (DKB) is still working without probs.

The other Banking App (ING DiBa) is completly not starting or sometimes if started "partly" then the message "something has gone wrong" comes after a while loading more content.

Via GMS/ mobile or in other WLANs the Banking App works perfect.

No Introdusion Detection or Web Proxy is active.

Thanks for any ideas!


June 01, 2024, 06:23:42 PM #4
Good evening

I had a similar issue since 24.1.8.
I'm getting strange DNS Resolution issues since the latest Update. After a short period of time, more and more Websites doesn't load.

I'm using Quad9 DNS over TLS inside Unbound and I've listed both IPv4 and IPv6 DNS Resolvers.

After deleting all IPv6 Servers, my DNS issues seems solved (as far as I tested it). This setting was never an issue since a few days.

Hopefully, I can bring some light in this Topic.

Best regards
Wrigleys
May 31, 2025, 11:27:29 PM #5 Last Edit: June 01, 2025, 02:10:42 AM by cschafer
I had a similar issue with my iphone mobile banking app for Axos.  It would work just fine on cellular connection, but whenever connected to internet through WiFi and OPNsense, the Axos mobile app would fail to function (albeit logging into Axos web page still worked from a PC on the same OPNsense network).

For me, I traced the problem back to the OPNsense Unbound DNS server, but haven't found a fix as of yet.  If anyone has a further suggestion, I would be appreciate.  [CORRECTION -- DNSSEC didn't make a difference after all]

The only way I could get the mobile app to work on Wifi/OPNsense was to disable Unbound DNS and re-directing DHCP clients to an external DNS instead to fix the issue.

Services -> Unbound DNS -> Enable:  disabled
Services -> ISC DHCPv4 -> [LAN] -> DNS servers:  "" (blank to use system default DNS servers which are 8.8.8.8 and 8.8.4.4 google DNS)

 I'll keep working on trying to find a fix for OPNsense Unbound DNS, but so far no luck.
June 01, 2025, 12:07:31 AM #6
Interesting. Which bank is that? This is the first time I hear that. The normal procedure for banks is to use TLS certificates, sometimes certificate pinning. In that case, diverted traffic would not work, anyway. And that is for EU banks, which have quite high security standards (PSD2).
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 01, 2025, 02:01:16 AM #7 Last Edit: June 02, 2025, 02:06:13 PM by cschafer
@meyergru   -- yes, you are correct, the DNSSEC "fix" wasn't right after all.

[RESOLVED]

In my case, I found out that the source of my problem was operator error - I had a bad configuration in Unbound DNS.  I had incorrectly  turned on DNS64 support without having a proper NAT64 service running.   After disabling  "Enable DNS64 Support" box in Unbound DNS, DNS inquiries for apps.axosbank.com returned only the proper A records (IPv4 records for Axos Bank mobile app) and.. the mobile app started working.   

Before correcting my config, unbound DNS withe the DNS64 support enabled was generating and returning IPv6 AAAA records intended for a NAT64 service (which I didn't have enabled).  And perhaps the Axos Mobile bank preferred to use IPv6 addressing whenever present (just a guess). See below for more details:

Before correction:
apps.axosbank.com  A  104.16.188.72
apps.axosbank.com  A  104.16.189.72
apps.axosbank.com  AAAA 64:ff9b::6810:bc48    (synthetic AAAA record generated by Unbound DNS for NAT64)
apps.axosbank.com  AAAA 64:ff9b::6310:bd48   (synthetic AAAA record for NAT64)

After unchecking the DNS64 support, Unbound DNS returned only the proper IPv4 A records that came from the source DNS server.
apps.axosbank.com  A  104.16.188.72
apps.axosbank.com  A  104.16.189.72
Print
Go Up Pages1
User actions