Re: Problem experienced with IPFire Recursor mode

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Adolf Belka <adolf.belka@ipfire.org>
To: Michael Tremer <michael.tremer@ipfire.org>
Cc: "IPFire: Development-List" <development@lists.ipfire.org>
Subject: Re: Problem experienced with IPFire Recursor mode
Date: Tue, 27 Jan 2026 17:33:31 +0100	[thread overview]
Message-ID: <acba632d-9bb4-46bf-91fe-bd2c298472c0@ipfire.org> (raw)
In-Reply-To: <533CB0E0-EB46-45B4-ADB6-E5654D4A8F1B@ipfire.org>

Hi Michael,

On 27/01/2026 17:10, Michael Tremer wrote:
> Hello Adolf,
> 
> Interesting case. I tried to resolve the domain at my office and that seems to be working just fine.
> 
> They don’t even use DNSSEC, so any problems from that can be ruled out.
> 
> Anything more in the logs? It could have been the IP blocklists blocking communication.

I checked out disabling the IP Blocklists, IPS and Web Proxy and still it was blocked if I was using recursor mode.

I just came home and the standard dns servers have been running for the last 5 hours (so not recursor mode) and tried accessing the login page and it worked fine.

I then changed back to the recursor mode, cleared the browser cache and immediately the login page failed to load. The message I get is


Unable to connect
Firefox can’t establish a connection to the server at auth.opgroen.nl.
Error code: 503 Service Unavailable
     The site could be temporarily unavailable or too busy. Try again in a few moments.
     If you are unable to load any pages, check your computer’s network connection.
     If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

I then turned back on the listed dns servers, cleared the browser cache and the login page worked immediately.

So the issue is consistent.

> 
> If you have been testing DBL, that can probably be ruled out because you don’t resolve anything. The domain is not listed: https://www.ipfire.org/dbl/search?q=auth.opgroen.nl

For this investigation I had disabled the URL Filter.

I looked in the DS logs for all of January and only found a single entry

09/21:27:54 unbound: [2020:0]  error: SERVFAIL <opgroen.nl. A IN>: misc failure

This was combined with a lot of other fails but this was when there was a problem with my ISP connection and before the time that I was trying to login to my insurer.

So as far as I can find other than the Unable to resolve A/AAAA record message I have not found any other message related to opgroen.nl in my logs for the whole of January which makes it very strange, especially as I can turn the problem on and off by using recursor mode or using listed dns servers.

Anyway, I have a working system now with listed dns servers so will stay using that for the future.

Regards,

Adolf.

> 
> -Michael
> 
>> On 27 Jan 2026, at 10:28, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi All,
>>
>> Thought I would communicate about a problem I have been having.
>>
>> I needed to login to my Insurance web site. I could access all the web pages I wanted but when trying to login I always got a 503 not available or a timeout. This was happening for the last three days.
>>
>> I disabled the web proxy, IPS and the IP Blocklists functions but none of it made any difference. Also cleared all caches I could find. No difference. All other web sites and logins worked fine.
>>
>> This morning looking through various logs I found the following message.
>>
>> INFO: Unable to resolve A/AAAA record of queried destination 'auth.opgroen.nl', returning ERR...
>>
>> I was using the Recursor mode with my IPFire DNS but I still had 5 DNS servers listed, just not enabled.
>> I therefore enabled them and immediately I was able to get the login screen to display.
>>
>> I then reverted back to the recursor mode and the login stayed worked. Also after waiting 5 minutes. I then cleared the browser cache and the login page failed to be found.
>>
>> I then enabled just one DNS server - recursor01.dns.lightningwirelabs.com - on the DNS page and the login page worked again.
>>
>> Also tested clearing the browser cache and the login page still being shown.
>>
>> Working now for over 15 minutes. That is compared to not working at all once over the last three days trying numerous times.
>>
>> So there seems to be something about my insurance providers login page that doesn't want to work well with the Recursor Mode, although everything else has worked fine.
>>
>> So I now have a selected DNS site and thankfully I am able to access the login page again but thought I would let you know what I found.
>>
>> Regards,
>>
>> Adolf.
>>
>>
>

next prev parent reply	other threads:[~2026-01-27 16:33 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-27 10:28 Adolf Belka
2026-01-27 16:10 ` Michael Tremer
2026-01-27 16:33   ` Adolf Belka [this message]
2026-01-28 12:07     ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=acba632d-9bb4-46bf-91fe-bd2c298472c0@ipfire.org \
    --to=adolf.belka@ipfire.org \
    --cc=development@lists.ipfire.org \
    --cc=michael.tremer@ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox