From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f0rZ90lZyz332H for ; Tue, 27 Jan 2026 16:33:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f0rZ55LXQz2xM3 for ; Tue, 27 Jan 2026 16:33:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4f0rZ43Jsxz3RG; Tue, 27 Jan 2026 16:33:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1769531612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BpMCnjmqV3I++2YHZggFCRDhuU+KohDdbrA9AM+NjgQ=; b=w9YE+luwQWenX6/KDXjs5YV6OFC8r+UedFgv/yxUOCblXH2FSEzhfZU+YjhRPJXO63bd8Z pl0fcvjieE2OiMAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1769531612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BpMCnjmqV3I++2YHZggFCRDhuU+KohDdbrA9AM+NjgQ=; b=NFe1kvzpuU5n8z9K6+iJ17drx3NTm1Zqz4Q37Lqouw9/16CmK9loznLWPVpZpdm94xAEo2 3dF+scwE2t43oiTI4nU1a5f6G6ZymShxd0BqREBzJr7J7F70yh9oyFgPi9nflhFnWkANpe kHuks9XFfUoTKS1QQ23FVFkWFjQjpA4MoNhgztHP5QqhCZqpWn3XG3CdvGMcF3LNNHJQC4 GbpsvVqKW+XB59fObtjrc0GL49SezwpF5cjLUFmHRvMBou1or1sQoA5P/Jx5uiUKnipsw/ 2UU0mWh9TvUHz/sHLEl9yotZXeM8b0dpqMoh2XA7P8JCoQdaYEJfG4e2tdAmoA== Message-ID: Date: Tue, 27 Jan 2026 17:33:31 +0100 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: Problem experienced with IPFire Recursor mode To: Michael Tremer Cc: "IPFire: Development-List" References: <2223b09a-31a9-4dc8-89a6-d57ed417c4ba@ipfire.org> <533CB0E0-EB46-45B4-ADB6-E5654D4A8F1B@ipfire.org> Content-Language: en-GB From: Adolf Belka In-Reply-To: <533CB0E0-EB46-45B4-ADB6-E5654D4A8F1B@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Michael, On 27/01/2026 17:10, Michael Tremer wrote: > Hello Adolf, > > Interesting case. I tried to resolve the domain at my office and that seems to be working just fine. > > They don’t even use DNSSEC, so any problems from that can be ruled out. > > Anything more in the logs? It could have been the IP blocklists blocking communication. I checked out disabling the IP Blocklists, IPS and Web Proxy and still it was blocked if I was using recursor mode. I just came home and the standard dns servers have been running for the last 5 hours (so not recursor mode) and tried accessing the login page and it worked fine. I then changed back to the recursor mode, cleared the browser cache and immediately the login page failed to load. The message I get is Unable to connect Firefox can’t establish a connection to the server at auth.opgroen.nl. Error code: 503 Service Unavailable The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer’s network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web. I then turned back on the listed dns servers, cleared the browser cache and the login page worked immediately. So the issue is consistent. > > If you have been testing DBL, that can probably be ruled out because you don’t resolve anything. The domain is not listed: https://www.ipfire.org/dbl/search?q=auth.opgroen.nl For this investigation I had disabled the URL Filter. I looked in the DS logs for all of January and only found a single entry 09/21:27:54 unbound: [2020:0] error: SERVFAIL : misc failure This was combined with a lot of other fails but this was when there was a problem with my ISP connection and before the time that I was trying to login to my insurer. So as far as I can find other than the Unable to resolve A/AAAA record message I have not found any other message related to opgroen.nl in my logs for the whole of January which makes it very strange, especially as I can turn the problem on and off by using recursor mode or using listed dns servers. Anyway, I have a working system now with listed dns servers so will stay using that for the future. Regards, Adolf. > > -Michael > >> On 27 Jan 2026, at 10:28, Adolf Belka wrote: >> >> Hi All, >> >> Thought I would communicate about a problem I have been having. >> >> I needed to login to my Insurance web site. I could access all the web pages I wanted but when trying to login I always got a 503 not available or a timeout. This was happening for the last three days. >> >> I disabled the web proxy, IPS and the IP Blocklists functions but none of it made any difference. Also cleared all caches I could find. No difference. All other web sites and logins worked fine. >> >> This morning looking through various logs I found the following message. >> >> INFO: Unable to resolve A/AAAA record of queried destination 'auth.opgroen.nl', returning ERR... >> >> I was using the Recursor mode with my IPFire DNS but I still had 5 DNS servers listed, just not enabled. >> I therefore enabled them and immediately I was able to get the login screen to display. >> >> I then reverted back to the recursor mode and the login stayed worked. Also after waiting 5 minutes. I then cleared the browser cache and the login page failed to be found. >> >> I then enabled just one DNS server - recursor01.dns.lightningwirelabs.com - on the DNS page and the login page worked again. >> >> Also tested clearing the browser cache and the login page still being shown. >> >> Working now for over 15 minutes. That is compared to not working at all once over the last three days trying numerous times. >> >> So there seems to be something about my insurance providers login page that doesn't want to work well with the Recursor Mode, although everything else has worked fine. >> >> So I now have a selected DNS site and thankfully I am able to access the login page again but thought I would let you know what I found. >> >> Regards, >> >> Adolf. >> >> >