Conditional Fwding & MFA / Auth Apps

TopNotch · May 18, 2021, 3:57pm

The issue I am facing:
When enabling Conditional Fwding on latest Pihole, Auth Apps like Msft Authenticator and Google's will stop working. Error is given as "can't connect to server at this time"
Details about my system:
RPi4 4gb w/latest raspbianOS (kernel 5.10.17-v7l+ #1403 SMP Mon Feb 22 11:33:35 GMT 2021 armv7l GNU/Linux) -- Pi-hole® v5.3.1, Web v5.5, FTL v5.8.1, PADD v3.5.1
What I have changed since installing Pi-hole:
1- Enabled DNSSEC = everything working as expected
2- a day later I enabled "Conditional Fwding" with 192.168.88.0/24 (.1 for router)

jfb · May 18, 2021, 5:46pm

Please provide us some details of these queries, forwards and replies from the dnsmasq logs at the following locations:

/var/log/pihole.log

/var/log/pihole.log.1

TopNotch · May 18, 2021, 7:05pm

Hi,

I think this section of the pihole.log contains the problem & revolves around "brooklynservices" (while conditional fwding was enabled):

May 18 08:07:00 dnsmasq[2734]: reply www.google.com is 108.177.122.99
May 18 08:07:00 dnsmasq[2734]: reply www.google.com is 108.177.122.103
May 18 08:07:06 dnsmasq[2734]: query[type=65] brooklynservices.azurefd.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: query[A] brooklynservices.azurefd.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.222.222
May 18 08:07:06 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: dnssec-query[DS] azurefd.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: validation result is INSECURE
May 18 08:07:06 dnsmasq[2734]: reply error is REFUSED
May 18 08:07:06 dnsmasq[2734]: query[type=65] brooklynservices.azurefd.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.222.222
May 18 08:07:06 dnsmasq[2734]: reply azurefd.net is no DS
May 18 08:07:06 dnsmasq[2734]: dnssec-query[DS] t-msedge.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: query[type=65] brooklynservices.azurefd.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: query[A] brooklynservices.azurefd.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: reply t-msedge.net is no DS
May 18 08:07:06 dnsmasq[2734]: validation result is INSECURE
May 18 08:07:06 dnsmasq[2734]: reply brooklynservices.azurefd.net is <CNAME>
May 18 08:07:06 dnsmasq[2734]: reply star-azurefd-prod.trafficmanager.net is <CNAME>
May 18 08:07:06 dnsmasq[2734]: reply dual.part-0013.t-0009.t-msedge.net is <CNAME>
May 18 08:07:06 dnsmasq[2734]: reply part-0013.t-0009.t-msedge.net is 13.107.213.41
May 18 08:07:06 dnsmasq[2734]: reply part-0013.t-0009.t-msedge.net is 13.107.246.41
May 18 08:07:06 dnsmasq[2734]: validation result is INSECURE
May 18 08:07:06 dnsmasq[2734]: reply error is REFUSED
May 18 08:07:06 dnsmasq[2734]: query[type=65] part-0013.t-0009.t-msedge.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: forwarded part-0013.t-0009.t-msedge.net to 208.67.220.220
May 18 08:07:06 dnsmasq[2734]: forwarded part-0013.t-0009.t-msedge.net to 208.67.222.222
May 18 08:07:06 dnsmasq[2734]: query[type=65] part-0013.t-0009.t-msedge.net from 192.168.88.1
May 18 08:07:06 dnsmasq[2734]: validation result is INSECURE

When I disabled it, this happened and things started working again:

May 18 10:38:42 dnsmasq[2734]: query[type=65] www.tm.a.prd.aadg.akadns.net from 192.168.88.1
May 18 10:38:42 dnsmasq[2734]: forwarded www.tm.a.prd.aadg.akadns.net to 208.67.222.222
May 18 10:38:42 dnsmasq[2734]: reply azurefd.net is no DS
May 18 10:38:42 dnsmasq[2734]: dnssec-query[DS] t-msedge.net to 208.67.222.222
May 18 10:38:42 dnsmasq[2734]: query[type=65] brooklynservices.azurefd.net from 192.168.88.1
May 18 10:38:42 dnsmasq[2734]: forwarded brooklynservices.azurefd.net to 208.67.222.222
May 18 10:38:42 dnsmasq[2734]: query[A] brooklynservices.azurefd.net from 192.168.88.1
May 18 10:38:42 dnsmasq[2734]: forwarded storage.live.com to 208.67.220.220
May 18 10:38:42 dnsmasq[2734]: forwarded storage.live.com to 208.67.222.222
May 18 10:38:42 dnsmasq[2734]: query[type=65] mobileappcommunicator.auth.microsoft.com from 192.168.88.1
May 18 10:38:42 dnsmasq[2734]: cached mobileappcommunicator.auth.microsoft.com is <CNAME>
May 18 10:38:42 dnsmasq[2734]: cached prda.aadg.msidentity.com is <CNAME>
May 18 10:38:42 dnsmasq[2734]: forwarded mobileappcommunicator.auth.microsoft.com to 208.67.220.220
May 18 10:38:42 dnsmasq[2734]: forwarded mobileappcommunicator.auth.microsoft.com to 208.67.222.222
May 18 10:38:42 dnsmasq[2734]: query[type=65] login.live.com from 192.168.88.1

Please let me know if i can provide any other details or if I missed what is needed.

system · June 8, 2021, 7:05pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.