The pfSense Store

Author Topic: Periodic since 2.2 pages load blank, certs invalid  (Read 14744 times)

0 Members and 1 Guest are viewing this topic.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #60 on: February 09, 2015, 09:22:12 am »
I just want to clear up a few things

When any DNS Server can be used (not just unbound) and DNS Sec is set to off
-A DNS lookup from any computer to one of the domains cause EVERY subsequent lookup to resolve to "195.22.26.248"
(persists until unbound service is restarted)

When only unbound can be used and DNS Sec is set to ON, and port 53 is blocked except to pfsense
-A DNS lookup from any computer to one of the domains causes unbound to stop resolving anything, all lookups fail
(persists until unbound service is restarted)

Thanks to a packet capture I was able to find which domains were being looked up, I then overrode the hosts and set the IP to 0.0.0.0 so they resolve but obviously can't get out

When only unbound can be used and DNS Sec is set to ON, port 53 is blocked except to pfsense, AND the hosts are overrode so Unbound doesn't make any query on those domains outward either
-All problems seem to cease


(Also, due to the packet capture, I can say the original request is coming from an unrooted Android device requesting port 80 on a few of those sites, based on the URL, it's requesting an API for determining the outward IP)

EDIT: here's the overrides I did to flat out prevent those names from being resolved.
« Last Edit: February 09, 2015, 09:28:34 am by Trel »

Offline swix

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #61 on: February 09, 2015, 10:34:39 am »
Thanks for your update Trel, we're still searching here, but enabling DNSSEC does not stop the issue.    And last time, it stopped by itself after about 5 minutes.

When "broken", all webrequests are redirected to http://xsso.www.example.org (with the original domain name instead of example.org).
Code: [Select]
GET /domain/www.example.org HTTP/1.1
Host: sso.mlwr.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64) (...)
Accept-Encoding: gzip, deflate, sdch
Accept-Language: de,en-US;q=0.8,en;q=0.6
Cookie: anbsso=a5f4221ae2729d945150c83748e2ea12 (...)

Response: HTTP/1.1 302 Moved Temporarily
Server: nginx-perl/1.2.9.7
Date: Mon, 09 Feb 2015 14:29:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked Connection: keep-alive
Set-Cookie: btst=b1b2035cffe818d92d7f6604a1318beb|myip|...
Location: http://xsso.www.example.org/a5f4221ae2729d945150c83748e2ea12

Just increased the logfiles size to try to see more next time it happens and added monitoring to get an alert directly.



And another view with wget, with and without https, with the same "lolcat" I already saw in another thread:

Code: [Select]
                                                                                                   
om@ompc:~> wget http://www.example.org
--2015-02-09 13:55:37--  http://www.example.org                                                                                                                                                     
Resolving www.example.org (www.example.org)... 195.22.26.248                                                                                                                                           
Connecting to www.example.org (www.example.org)|195.22.26.248|:80... connected.                                                                                                                       
HTTP request sent, awaiting response... 302 Moved Temporarily                                                                                                                                     
Location: http://sso.mlwr.io/domain/www.example.org [following]                                                                                                                                     
--2015-02-09 13:55:39--  http://sso.mlwr.io/domain/www.example.org
Resolving sso.mlwr.io (sso.mlwr.io)... 195.22.26.248
Reusing existing connection to www.example.org:80.
HTTP request sent, awaiting response... 200 OK
Cookie coming from sso.mlwr.io attempted to set domain to example.org
Length: unspecified [text/html]
Saving to: ‘index.html.3’


om@ompc:~> wget https://www.example.org
--2015-02-09 13:55:43--  https://www.example.org/
Resolving www.example.org (www.example.org)... 195.22.26.248
Connecting to www.example.org (www.example.org)|195.22.26.248|:443... connected.
ERROR: cannot verify www.example.org's certificate, issued by ‘/CN=lolcat’:
  Self-signed certificate encountered.
    ERROR: certificate common name ‘lolcat’ doesn't match requested host name ‘www.example.org’.
To connect to www.example.org insecurely, use `--no-check-certificate'.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #62 on: February 09, 2015, 10:39:47 am »
You said you enabled DNSSEC, but question, what do you have in

System -> General -> DNS servers?

Offline swix

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #63 on: February 09, 2015, 10:41:55 am »
PS:  installed packages on this router: arpwatch, bandwithd, cron, darkstat, mailreport, nrpe, rrd summary, openvpn client export.

Offline swix

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #64 on: February 09, 2015, 10:48:26 am »
You said you enabled DNSSEC, but question, what do you have in
System -> General -> DNS servers?

Completely empty, so shoud unbound start with root servers directly.  I was wondering where was the hints file for unbound, but it seems to be directly in the binary file (strings unbound) :

Code: [Select]
A.ROOT-SERVERS.NET.
198.41.0.4
B.ROOT-SERVERS.NET.
192.228.79.201
C.ROOT-SERVERS.NET.
192.33.4.12
D.ROOT-SERVERS.NET.
199.7.91.13
E.ROOT-SERVERS.NET.
192.203.230.10
F.ROOT-SERVERS.NET.
192.5.5.241
G.ROOT-SERVERS.NET.
192.112.36.4
H.ROOT-SERVERS.NET.
128.63.2.53
I.ROOT-SERVERS.NET.
192.36.148.17
J.ROOT-SERVERS.NET.
192.58.128.30
K.ROOT-SERVERS.NET.
193.0.14.129
L.ROOT-SERVERS.NET.
199.7.83.42

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #65 on: February 09, 2015, 10:50:50 am »
Ok.  So what are the DNS servers configured on the client?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline swix

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #66 on: February 09, 2015, 10:56:23 am »
Ok.  So what are the DNS servers configured on the client?
     

Set via DHCP, simply the router's ip address:
Code: [Select]
   option domain-name-servers 192.168.1.100;

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #67 on: February 09, 2015, 11:25:54 am »
And you've actually verified that's the case on the client?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #68 on: February 09, 2015, 11:44:18 am »
Thanks for your update Trel, we're still searching here, but enabling DNSSEC does not stop the issue.   

It does NOT stop the issue on domains that are not signed, no. Also, it will NOT prevent the DNS hijack if your clients are NOT using pfSense or another DNSSEC-enabled resolver, even if the zones are signed. It will prevent resolving domains to malicious crap for the rest.

- Block/redirect all DNS queries on LAN to pfSense
- Find and reimage infected crap.
« Last Edit: February 09, 2015, 11:49:17 am by doktornotor »
Do NOT PM for help!

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #69 on: February 09, 2015, 11:51:03 am »
- Find and reimage infected crap.

I agree, but I would like to point out the way it affects pfsense/unbound is not a good thing at all.

A lookup on a completely isolated network segment made unbound start giving bad resolutions to ALL network segments when other DNS servers were permitted, and when they were blocked, unbound simply stopped replying.

That's not really the best outcome for a single computer looking up a bad domain.




Offline swix

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +1/-0
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #70 on: February 09, 2015, 11:55:10 am »
And you've actually verified that's the case on the client?

Yes, + also did tests with dig @192.168.1.100 and directly via the pfsense shell. "poisoned" ip in every case (after a few seconds after the beginning of a new occurence of the issue).


It does NOT stop the issue on domains that are not signed, no. Also, it will NOT prevent the DNS hijack if your clients are NOT using pfSense or another DNSSEC-enabled resolver, even if the zones are signed. It will prevent resolving domains to malicious crap for the rest.

Yep, I supposed that too, but sometimes there are collateral effets to such settings.


- Block/redirect all DNS queries on LAN to pfSense
- Find and reimage infected crap.

It will continue tomorrow, now it is calm again, as everybody left the office :)    But even if it is related to one malicious host on the LAN, it shouldn't be able to break the unbound resolver so easily...

Thanks again for all your feedbacks and until tomorrow!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #71 on: February 09, 2015, 12:14:10 pm »
If pfSense/unbound asks the configured upstream DNS servers to resolve a query and gets something unexpected back it's not the fault of pfSense/unbound.

You need to be looking at these queries from the root back and see where things go wrong.

Very intriguing.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #72 on: February 09, 2015, 12:22:04 pm »
If pfSense/unbound asks the configured upstream DNS servers to resolve a query and gets something unexpected back it's not the fault of pfSense/unbound.

Yes, exactly. Strongly suspect most of the people here are either using some hacked ISP device that hijacks the DNS traffic or the clients do not query the pfSense DNS resolver at all.
Do NOT PM for help!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9047
  • Karma: +1032/-306
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #73 on: February 09, 2015, 12:27:43 pm »
Also, by obfuscating everything to example.com, you are eliminating the ability of everyone reading this thread from seeing what responses they get to the same queries.

Maybe someone else would get the BS responses and be in a better position to troubleshoot it than you are.

I would put this on LAN:

pass IPv4 TCP/UDP source LAN net dest ! 192.168.1.100 port 53 log

Put that above your normal pass rule.  If everything is as you say, it should log nothing.

On pfSense 2.2 you should be able to set the dest to ! This Firewall (self).
« Last Edit: February 09, 2015, 12:34:29 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Periodic since 2.2 pages load blank, certs invalid
« Reply #74 on: February 09, 2015, 12:34:42 pm »
Also, by obfuscating everything to example.com, you are eliminating the ability of everyone reading this thread from seeing what responses they get to the same queries.

Pretty sure I could get these guys involved in investigating the issue here (they've also written the Knot DNS server so I'm rather convinced they are familiar with DNS  :P) -- however that'd require either remote access or at least uncensored traffic captures. Not example.com -- totally useless.
« Last Edit: February 09, 2015, 12:43:16 pm by doktornotor »
Do NOT PM for help!