Accessibility of postfinance.ch

Greetings networkers 😉

For about 3 weeks I have had a really exciting phenomenon that, in my opinion, cannot be explained. I have an XGS-PON Anschluss with Pfsense etc. This Anschluss has been running great for a year and I can do anything and open any page I want. But for the past 3 weeks I haven’t always been able to access postfinance.ch and post.ch. Unfortunately, this is a bit difficult because I have an account with Postfinance.

I can’t reach the two websites via my cell phone via WiFi, but I can reach them without any problem via VPN or 4G. That’s why I assume that it’s at best a Swisscom problem. Interestingly, all other websites work without any problems.

I’ve already rebooted Pfsense 2-3 times but it doesn’t make any difference. There are days when both websites work without any problems.

nslookup postfinance.ch

gnome2018_1-1688753816677.png

I have Google and Quad9 stored as DNS on the Pfsense. As written, everything works without problems via VPN. It almost looks to me like my IP is blocked. But it could also be a Swisscom routing problem because I am no longer in the CGNAT and have my own router and an XGS-PON Anschluss. Another problem could be IPv6, which is active for me.

I still have a bit of catching up to do with IPv6 as not everything is properly configured yet…

gnome2018_2-1688754014445.png

Anyone have any good ideas?

Thank you very much for your input…

Show original language (German)

Hi @gnome2018,

In your screenshot you can see that the DNS server is not responding. So I would guess DNS 😉

Do you see anything about this in the pfsense log? Can you show us your DNS configuration on the sense?

I had a similar problem with Quad9 some time ago, so try it as a test with Cloudflare, for example:

C:\sers\00t>nslookup <enter>
Default server: prl-local-ns-server.shared
Address: 10.211.55.1

> server 1.1.1.1 <enter>
Default server: one.one.one.one
Address: 1.1.1.1

> postfinance.ch <enter>
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: postfinance.ch
Addresses: 2a00:17c9:0:103::20e
194.41.166.32

>

If it works with Cloudflare, Quad9 Support would be happy to receive a ticket. (Finally solved the problem for me)

LG

r00t

Show original language (German)

4b 65 69 6e 65 20 4d 61 63 68 74 20 64 65 72 20 6c 65 67 61 63 79 20 49 50 21

As you can easily see with Verisign’s DNSSEC debugger, www.postfinance.ch is one of the few Swiss domains that is secured with DNSSEC. Here the error can be found in the DNS area.

https://dnssec-debugger.verisignlabs.com/

When setting up and disconnecting the VPN tunnel, the DNS cache is from the operating system with the command line command:

# ipconfig /flushdns

to empty. Here is the excerpt from my DNSSEC test flow for Linux:

Positive test
-------------------------------------------------- ----------------------
# dig +multili +dnssec www.nic.ch
=> status: NOERROR
=> flags: ad
=> EDNS: version: 0, flags: do;
=> SERVER: 127.0.0.1


# dig +multili +dnssec www.nic.cz
=> status: NOERROR
=> flags: ad
=> EDNS: version: 0, flags: do;
=> SERVER: 127.0.0.1


Negative test
-------------------------------------------------- ---------------------
# nslookup www.rhybar.cz
=> Got SERVFAIL reply from 127.0.0.1

# dig +multili +dnssec www.rhybar.cz
=> status: SERVFAIL

# nslookup www.dnssec-failed.org
=> Got SERVFAIL reply from 127.0.0.1

# dig +multili +dnssec www.dnssec-failed.org
=> status: SERVFAIL



TCP test
-------------------------------------------------- --------------------------------
# dig +tcp www.meteoschweiz.admin.ch @192.168.1.1

This DNSSEC test can be adapted to Windows.

The Swisscom DNS servers are DNSSEC-aware.

[https://community.swisscom.ch/t5/Archiv-Internet/Swisscom-DNS-Server-kein-dnssec/m-p/486189](https://community.swisscom.ch/t5/Archiv-Internet/Swisscom- DNS-Server-no-dnssec/m-p/486189)

For performance reasons, Swisscom’s DNS servers should be used.

pfSense uses unbound. And the unbound in the pfSense supports its use as a DNSSEC-validating DNS server if configured correctly.

https://docs.netgate.com/pfsense/en/latest/services/dns/resolver.html

[https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html](https://docs.netgate.com/pfsense/en/latest/services/dns/resolver- config.html)

[https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-advanced.html](https://docs.netgate.com/pfsense/en/latest/services/dns/resolver- advanced.html)

I can only warmly recommend using unbound on your own hardware firewall/router as a DNSSEC-validating DNS server in the home network. See:

https://community.sunrise.ch/d/19158-dns-problem/9

Most Swiss eBanking websites are now secured with DNSSEC. For example Raiffeisen: https://login.raiffeisen.ch/de?applicationId=ebanking:

https://dnssec-debugger.verisignlabs.com/login.raiffeisen.ch

Please see the information on DNS and DNSSEC in my longer article from June 28, 2020 at:

[https://community.sunrise.ch/d/4397-diagnose-tool-der-connect-box-says-your-heim-netzwerk-hat-derzeit-einige-probl/2](https://community. sunrise.ch/d/4397-diagnose-tool-der-connect-box-says-your-home-network-has-derzeit-einige-probl/2)

observe!

Show original language (German)