Problem experienced with IPFire Recursor mode

Problem experienced with IPFire Recursor mode

[Adolf Belka]

Hi All,

Thought I would communicate about a problem I have been having.

I needed to login to my Insurance web site. I could access all the web pages I wanted but when trying to login I always got a 503 not available or a timeout. This was happening for the last three days.

I disabled the web proxy, IPS and the IP Blocklists functions but none of it made any difference. Also cleared all caches I could find. No difference. All other web sites and logins worked fine.

This morning looking through various logs I found the following message.

INFO: Unable to resolve A/AAAA record of queried destination 'auth.opgroen.nl', returning ERR...

I was using the Recursor mode with my IPFire DNS but I still had 5 DNS servers listed, just not enabled.
I therefore enabled them and immediately I was able to get the login screen to display.

I then reverted back to the recursor mode and the login stayed worked. Also after waiting 5 minutes. I then cleared the browser cache and the login page failed to be found.

I then enabled just one DNS server - recursor01.dns.lightningwirelabs.com - on the DNS page and the login page worked again.

Also tested clearing the browser cache and the login page still being shown.

Working now for over 15 minutes. That is compared to not working at all once over the last three days trying numerous times.

So there seems to be something about my insurance providers login page that doesn't want to work well with the Recursor Mode, although everything else has worked fine.

So I now have a selected DNS site and thankfully I am able to access the login page again but thought I would let you know what I found.

Regards,

Adolf.

Re: Problem experienced with IPFire Recursor mode

[Michael Tremer]

Hello Adolf,

Interesting case. I tried to resolve the domain at my office and that seems to be working just fine.

They don’t even use DNSSEC, so any problems from that can be ruled out.

Anything more in the logs? It could have been the IP blocklists blocking communication.

If you have been testing DBL, that can probably be ruled out because you don’t resolve anything. The domain is not listed: https://www.ipfire.org/dbl/search?q=auth.opgroen.nl

-Michael

> On 27 Jan 2026, at 10:28, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi All,
> 
> Thought I would communicate about a problem I have been having.
> 
> I needed to login to my Insurance web site. I could access all the web pages I wanted but when trying to login I always got a 503 not available or a timeout. This was happening for the last three days.
> 
> I disabled the web proxy, IPS and the IP Blocklists functions but none of it made any difference. Also cleared all caches I could find. No difference. All other web sites and logins worked fine.
> 
> This morning looking through various logs I found the following message.
> 
> INFO: Unable to resolve A/AAAA record of queried destination 'auth.opgroen.nl', returning ERR...
> 
> I was using the Recursor mode with my IPFire DNS but I still had 5 DNS servers listed, just not enabled.
> I therefore enabled them and immediately I was able to get the login screen to display.
> 
> I then reverted back to the recursor mode and the login stayed worked. Also after waiting 5 minutes. I then cleared the browser cache and the login page failed to be found.
> 
> I then enabled just one DNS server - recursor01.dns.lightningwirelabs.com - on the DNS page and the login page worked again.
> 
> Also tested clearing the browser cache and the login page still being shown.
> 
> Working now for over 15 minutes. That is compared to not working at all once over the last three days trying numerous times.
> 
> So there seems to be something about my insurance providers login page that doesn't want to work well with the Recursor Mode, although everything else has worked fine.
> 
> So I now have a selected DNS site and thankfully I am able to access the login page again but thought I would let you know what I found.
> 
> Regards,
> 
> Adolf.
> 
> 

Re: Problem experienced with IPFire Recursor mode

[Adolf Belka]

Hi Michael,

On 27/01/2026 17:10, Michael Tremer wrote:
> Hello Adolf,
> 
> Interesting case. I tried to resolve the domain at my office and that seems to be working just fine.
> 
> They don’t even use DNSSEC, so any problems from that can be ruled out.
> 
> Anything more in the logs? It could have been the IP blocklists blocking communication.

I checked out disabling the IP Blocklists, IPS and Web Proxy and still it was blocked if I was using recursor mode.

I just came home and the standard dns servers have been running for the last 5 hours (so not recursor mode) and tried accessing the login page and it worked fine.

I then changed back to the recursor mode, cleared the browser cache and immediately the login page failed to load. The message I get is


Unable to connect
Firefox can’t establish a connection to the server at auth.opgroen.nl.
Error code: 503 Service Unavailable
     The site could be temporarily unavailable or too busy. Try again in a few moments.
     If you are unable to load any pages, check your computer’s network connection.
     If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

I then turned back on the listed dns servers, cleared the browser cache and the login page worked immediately.

So the issue is consistent.

> 
> If you have been testing DBL, that can probably be ruled out because you don’t resolve anything. The domain is not listed: https://www.ipfire.org/dbl/search?q=auth.opgroen.nl

For this investigation I had disabled the URL Filter.

I looked in the DS logs for all of January and only found a single entry

09/21:27:54 unbound: [2020:0]  error: SERVFAIL <opgroen.nl. A IN>: misc failure

This was combined with a lot of other fails but this was when there was a problem with my ISP connection and before the time that I was trying to login to my insurer.

So as far as I can find other than the Unable to resolve A/AAAA record message I have not found any other message related to opgroen.nl in my logs for the whole of January which makes it very strange, especially as I can turn the problem on and off by using recursor mode or using listed dns servers.

Anyway, I have a working system now with listed dns servers so will stay using that for the future.

Regards,

Adolf.

> 
> -Michael
> 
>> On 27 Jan 2026, at 10:28, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi All,
>>
>> Thought I would communicate about a problem I have been having.
>>
>> I needed to login to my Insurance web site. I could access all the web pages I wanted but when trying to login I always got a 503 not available or a timeout. This was happening for the last three days.
>>
>> I disabled the web proxy, IPS and the IP Blocklists functions but none of it made any difference. Also cleared all caches I could find. No difference. All other web sites and logins worked fine.
>>
>> This morning looking through various logs I found the following message.
>>
>> INFO: Unable to resolve A/AAAA record of queried destination 'auth.opgroen.nl', returning ERR...
>>
>> I was using the Recursor mode with my IPFire DNS but I still had 5 DNS servers listed, just not enabled.
>> I therefore enabled them and immediately I was able to get the login screen to display.
>>
>> I then reverted back to the recursor mode and the login stayed worked. Also after waiting 5 minutes. I then cleared the browser cache and the login page failed to be found.
>>
>> I then enabled just one DNS server - recursor01.dns.lightningwirelabs.com - on the DNS page and the login page worked again.
>>
>> Also tested clearing the browser cache and the login page still being shown.
>>
>> Working now for over 15 minutes. That is compared to not working at all once over the last three days trying numerous times.
>>
>> So there seems to be something about my insurance providers login page that doesn't want to work well with the Recursor Mode, although everything else has worked fine.
>>
>> So I now have a selected DNS site and thankfully I am able to access the login page again but thought I would let you know what I found.
>>
>> Regards,
>>
>> Adolf.
>>
>>
> 

Re: Problem experienced with IPFire Recursor mode

[Michael Tremer]

Hello Adolf,

> On 27 Jan 2026, at 16:33, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 27/01/2026 17:10, Michael Tremer wrote:
>> Hello Adolf,
>> Interesting case. I tried to resolve the domain at my office and that seems to be working just fine.
>> They don’t even use DNSSEC, so any problems from that can be ruled out.
>> Anything more in the logs? It could have been the IP blocklists blocking communication.
> 
> I checked out disabling the IP Blocklists, IPS and Web Proxy and still it was blocked if I was using recursor mode.
> 
> I just came home and the standard dns servers have been running for the last 5 hours (so not recursor mode) and tried accessing the login page and it worked fine.
> 
> I then changed back to the recursor mode, cleared the browser cache and immediately the login page failed to load. The message I get is
> 
> 
> Unable to connect
> Firefox can’t establish a connection to the server at auth.opgroen.nl.
> Error code: 503 Service Unavailable
>    The site could be temporarily unavailable or too busy. Try again in a few moments.
>    If you are unable to load any pages, check your computer’s network connection.
>    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.
> 
> I then turned back on the listed dns servers, cleared the browser cache and the login page worked immediately.
> 
> So the issue is consistent.
> 
>> If you have been testing DBL, that can probably be ruled out because you don’t resolve anything. The domain is not listed: https://www.ipfire.org/dbl/search?q=auth.opgroen.nl
> 
> For this investigation I had disabled the URL Filter.
> 
> I looked in the DS logs for all of January and only found a single entry
> 
> 09/21:27:54 unbound: [2020:0]  error: SERVFAIL <opgroen.nl. A IN>: misc failure

Hmm, this is not a very useful error message. I just checked the Unbound source and this seems to be coming from the validator module - the one for DNSSEC although the domain does not use DNSSEC at all.

Can you try to increase the val-log-level and see if Unbound can tell us more?

  https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-val-log-level

> This was combined with a lot of other fails but this was when there was a problem with my ISP connection and before the time that I was trying to login to my insurer.
> 
> So as far as I can find other than the Unable to resolve A/AAAA record message I have not found any other message related to opgroen.nl in my logs for the whole of January which makes it very strange, especially as I can turn the problem on and off by using recursor mode or using listed dns servers.
> 
> Anyway, I have a working system now with listed dns servers so will stay using that for the future.
> 
> Regards,
> 
> Adolf.
> 
>> -Michael
>>> On 27 Jan 2026, at 10:28, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> Hi All,
>>> 
>>> Thought I would communicate about a problem I have been having.
>>> 
>>> I needed to login to my Insurance web site. I could access all the web pages I wanted but when trying to login I always got a 503 not available or a timeout. This was happening for the last three days.
>>> 
>>> I disabled the web proxy, IPS and the IP Blocklists functions but none of it made any difference. Also cleared all caches I could find. No difference. All other web sites and logins worked fine.
>>> 
>>> This morning looking through various logs I found the following message.
>>> 
>>> INFO: Unable to resolve A/AAAA record of queried destination 'auth.opgroen.nl', returning ERR...
>>> 
>>> I was using the Recursor mode with my IPFire DNS but I still had 5 DNS servers listed, just not enabled.
>>> I therefore enabled them and immediately I was able to get the login screen to display.
>>> 
>>> I then reverted back to the recursor mode and the login stayed worked. Also after waiting 5 minutes. I then cleared the browser cache and the login page failed to be found.
>>> 
>>> I then enabled just one DNS server - recursor01.dns.lightningwirelabs.com - on the DNS page and the login page worked again.
>>> 
>>> Also tested clearing the browser cache and the login page still being shown.
>>> 
>>> Working now for over 15 minutes. That is compared to not working at all once over the last three days trying numerous times.
>>> 
>>> So there seems to be something about my insurance providers login page that doesn't want to work well with the Recursor Mode, although everything else has worked fine.
>>> 
>>> So I now have a selected DNS site and thankfully I am able to access the login page again but thought I would let you know what I found.
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
>>> 
>