Very strange blocked page (cert. from: hooyu-id.natwest.com)

Help
1

Hi there all,

I have very strange problem with my PiHole DNS server.

I use a service for my invoices, and if I go to fattureincloud.it web page, it's work, and I have the SSL cet. from Amazon RSA.

image
image651×679 56.8 KB

But when I try to log in on page https://secure.fattureincloud.it/ I take an error like this:

image
image812×655 113 KB

What is so strange is that the certificate this time is from hooyu-id.natwest.com ... I don't know who is it.

image
image824×813 79.5 KB

Anyway... if I change the DNS from on my PC from PiHole IP to 1.1.1.1 the site is work.

I have try to disable all the blacklist filter on PiHole, and reset it, but I take same think.

And on the PiHole LOG page is like all ok:

image
image826×376 53.6 KB

Is very strange think and I have search a lot of hours in order to find that problem, but I didn't find something like this.

Anyone can help me please ?

Thanks in advance

Denis

2

HooYu is a UK-based identification service, dealing with things like customer identification. document validation, fraud prevention, etc. They were acquired by another identification service company, Mitek, back in 2022.

NatWest is a UK-based bank. They are partnered with Mitek who provide fraud prevention services. So the domain hooyu-id.natwest.com is legitimate and relates to how NatWest is providing those services to its online products.

Fatture in Cloud's privacy policy states they share information with banks and third-party service providers.

This doesn't solve the puzzle of why you had a HooYu NatWest https site load up when accessing Fatture's login, nor does it explain why this problem went away when you switched to Cloudflare's DNS, but it looks like these are all legitimate services and all related to finance and fraud prevention, so it makes sense, sort of.

It may have been a temporary misconfiguration with the online services, or it may have been something browser-based – for example if a previous site also used these services and you had cookies saved for that domain, causing the service to try and load content for the wrong domain.

Are you able to repeat what you saw when you try again now? What happens if you clear your browser's cache and cookies and try again? What about if you try a different browser on a different computer which also uses Pi-hole?

4

First of all, thanks for the help.
Yes... I have try with some other PC on my LAN,
also I have make a new Windows11 VM under my ProxMox server, but the result is the same.
Also I have try Chrome, Firefox and Edge... and same result too.

But what I really don't understand is the different certificate on the https://secure.fattureincloud.it/ site.
Can be that the fattureincloud.it give me another certificate when I have some conditions ?
Have you some other idea please ?

Thanks a lot again
Denis

5

Try running these four commands from your Windows VM where you are seeing this problem. What outputs do you get for each command? Replace PIHOLE_IP with the IP address of your Pi-hole on your network.

nslookup secure.fattureincloud.it

nslookup secure.fattureincloud.it PIHOLE_IP

nslookup secure.fattureincloud.it 1.1.1.1

nslookup -class=chaos -type=txt version.bind 198.41.0.4
6

Thanks a lot for the help.
Here my ip is 151.59.112.xxx
my PiHole server is 192.168.1.53
and my domain is mydomain.com.

C:\Users\denis>nslookup secure.fattureincloud.it
Server:  pi.hole
Address:  192.168.1.53

Risposta da un server non autorevole:
Nome:    mydomain.com
Address:  151.59.112.xxx
Aliases:  secure.fattureincloud.it.mydomain.com


C:\Users\denis>nslookup secure.fattureincloud.it 192.168.1.53
Server:  pi.hole
Address:  192.168.1.53

Risposta da un server non autorevole:
Nome:    mydomain.com
Address:  151.59.112.xxx
Aliases:  secure.fattureincloud.it.mydomain.com


C:\Users\denis>nslookup secure.fattureincloud.it 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

Risposta da un server non autorevole:
Nome:    mydomain.com
Address:  151.59.112.xxx
Aliases:  secure.fattureincloud.it.mydomain.com


C:\Users\denis>nslookup -class=chaos -type=txt version.bind 198.41.0.4
in-addr.arpa    nameserver = f.in-addr-servers.arpa
in-addr.arpa    nameserver = b.in-addr-servers.arpa
in-addr.arpa    nameserver = d.in-addr-servers.arpa
in-addr.arpa    nameserver = a.in-addr-servers.arpa
in-addr.arpa    nameserver = c.in-addr-servers.arpa
in-addr.arpa    nameserver = e.in-addr-servers.arpa
f.in-addr-servers.arpa  internet address = 193.0.9.1
f.in-addr-servers.arpa  AAAA IPv6 address = 2001:67c:e0::1
b.in-addr-servers.arpa  internet address = 199.253.183.183
b.in-addr-servers.arpa  AAAA IPv6 address = 2001:500:87::87
d.in-addr-servers.arpa  internet address = 200.10.60.53
d.in-addr-servers.arpa  AAAA IPv6 address = 2001:13c7:7010::53
a.in-addr-servers.arpa  internet address = 199.180.182.53
a.in-addr-servers.arpa  AAAA IPv6 address = 2620:37:e000::53
c.in-addr-servers.arpa  internet address = 196.216.169.10
c.in-addr-servers.arpa  AAAA IPv6 address = 2001:43f8:110::10
e.in-addr-servers.arpa  internet address = 203.119.86.101
e.in-addr-servers.arpa  AAAA IPv6 address = 2001:dd8:6::101
Server:  UnKnown
Address:  198.41.0.4

version.bind    text =

        "ATLAS"

Thanks again
Denis

7

Thankyou. What is mydomain.com? Is this replacement text for a domain owned by you? What is that 151 IP address, is that something belonging to you? This is what I get for all three fatture tests:

Non-authoritative answer:
Name: secure.fattureincloud.it
Address: 34.250.82.27
Name: secure.fattureincloud.it
Address: 63.32.120.74
Name: secure.fattureincloud.it
Address: 63.32.221.69
8

Yes mydomain.com is replacement text for a domain owned by me,
and the 151.59.112.xxx is my home Ip (I put xxx for privacy reason)

I so that you don't have aliases.
I realy don't understand where from it take that aliases...

I also use the OpnSense router (also the DHCP server)
Do you think that can be from the OpnSense that issue ?

Thanks a lot again
Denis

9

It appears that something on your network or computers is causing that domain to resolve to your own IP instead of the proper IP, regardless of which DNS server you ask. That would be a cause of a certificate error though I'm not sure why that natwest address is relevant – perhaps this was also resolved previously as part of a site and is cached.

I don't use OPNsense – have a look for any obvious alias definitions or firewall type rules that might be relevant. You mentioned you'd tried this on another computer and had the same results. Are both computers running copies of the same security software (if any), such as antivirus software? Are they running applications from a finance-related organisation?

That final ATLAS test you did shows that an external DNS query was not intercepted. But if you query this domain on Cloudflare you get the same result as on your Pi-hole. But originally it was changing to that DNS server which fixed the problem.

Can you create a debug log please and post the token URL it gives you. You can do this in Tools > Generate debug log > Upload debug log and provide Debug token > Generate debug log .

10

I didn't know of this type of debug log :slight_smile:
I have generate it and because I so that I can't send you e prvt. message,
I paste here the token code: xxxxx
...hope you know the rest of the link :wink:

Thanks a lot again
Denis

11

I don't understand how it's work the link...
I paste it in Chrome and I take a blank page :frowning:
It is normal please ?

12

Dear Chris,
I have just install the AdGuard plugin in my OpnSense router and all work so nice.

C:\Users\denis>nslookup secure.fattureincloud.it
Server:  router
Address:  192.168.1.1

Risposta da un server non autorevole:
Nome:    secure.fattureincloud.it
Addresses:  34.250.82.27
          63.32.120.74
          63.32.221.69

It anyway remain very strange think... but I have no more ideeas, so I changed.

Thank you so much for the help
Denis

13

It is a diagnostic log which gathers information about your Pi-hole and its configuration and makes it available to a small number of Pi-hole people on a secure server for 48 hours, after which it is purged. You create the log as described above and post the https://tricorder.pi-hole.net link here. There is no need for a private message, only Pi-hole people can access it.

14

Yes, this is normal.

You are not allowed to access the restricted area.
Only developers and moderators will be able to read the log using this link.

You can read your own log at /var/log/pihole/pihole_debug.log.

15

Ah ok... this is greate for the personal data :slight_smile:
Thanks a lot.
Denis