Weird DNS issue with a single name

[verfluchten]

Having migrated to OPNsense, a few days back, I've been generally happy but ran into a sudden and very weird issue today. When I try to go to any address on answers.microsoft.com the browser instantly fails to find the site.
So I tried this on command line:

Code: [Select]

C:\>ping answers.microsoft.com
Ping request could not find host answers.microsoft.com. Please check the name and try again.

C:\>nslookup www.microsoft.com
Server:  router
Address:  10.10.10.1

Non-authoritative answer:
Name:    e13678.dscb.akamaiedge.net
Addresses:  2600:140a:a000:581::356e
          2600:140a:a000:588::356e
          2600:140a:a000:58c::356e
          2600:140a:a000:5bb::356e
          23.215.25.222
Aliases:  www.microsoft.com
          www.microsoft.com-c-3.edgekey.net
          www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net


C:\>nslookup answers.microsoft.com
Server:  router
Address:  10.10.10.1

Name:    answers.microsoft.com
Address:  0.0.0.0


C:\>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\>nslookup answers.microsoft.com
Server:  router
Address:  10.10.10.1

Name:    answers.microsoft.com
Address:  0.0.0.0

And in the Opnsense admin UI when I resolve the name, I get its address but as soon as I try nslookup on the command line of my machine on the LAN or in the browser, it temporarily reverts to 0.0.0.0. As soon as I try to resolve it in the admin UI again, it works again but only until I try to resolve it from the LAN machine.
If I keep repeating the name resolution in the admin UI it always resolves.
If I try to open the address in the browser or run nslookup then it does not resolve in the admin UI only 1 time.
What am I doing wrong?

[Patrick M. Hausen]

0.0.0.0 looks like a standard block list answer. Any block lists in place?

[verfluchten]

Lots. Hundreds of. Why is it intermittent then?

The same problem with go.microsoft.com. Their online installers can't d/l anything.

I do not have blocks anywhere near both networks, as Opnsense interface diagnostics page resolves them. Not even close.

[Patrick M. Hausen]

Because particular domains get listed and deleted on block lists on and off all the time ...

I use 4 (!) very well curated lists:

- HaGeZi's Threat Intelligence Feeds
- HaGeZi's Encrypted DNS/VPN/TOR/Proxy Bypass
- Dandelion Sprout's Anti-Malware List
- HaGeZi's Pro Blocklist

For a very good discussion of block lists in general I recommend HaGeZi's github repo:

https://github.com/hagezi/dns-blocklists

HTH,
Patrick

[verfluchten]

Ah, you are probably referring to block lists?
I assumed you wrote about firewall IP blocks.
Let me disable block lists and begin to figure it out one by one.
Yes, it was blacklists. Someone was having too much time on their hands and too little oversight.

[verfluchten]

I ended up creating whitelists for answers, go, and login.microsoft.com.
But something about blacklists is fishy. When I completely disable them, all *.microsoft.com domains work in the browser. When I simply enable the service w/o checking off any lists, they still resolve and ping but stop working in the browser. How can this be explained from the technical POV?

[verfluchten]

If I ssh into opnsense, can I less the blacklist files, to see what they actually block? Where does opnsense donwload them to?