I have OpenWRT and pi-hole setup in VM with unbound (configured using tutorial from pihole with unbound) as DNS server and act as both sole DNS and DHCP server, i realise the problem that protonmail.com is unavailable with error "ERR_CONNECTION_TIMED_OUT". my first thought is maybe the pi-hole is interfering but after trying :
Using from another PC / laptop and different browser (to ensure not isolated or plugin problem)
Disabling the pi-hole itself
Switching pi-hole dns server from local unbound to using cloudflare
View pi-hole query log to look for blocked access
Using protonmail.com ip address using dig / nslookup from the unbound - pihole itself (I can ping and nslookup protonmail.com)
Directly set my client PC DNS with cloudflare or other provider
So far none worked... but then I try to bypass OpenWRT by connecting my ISP cable modem directly to PC (I'm using OpenWRT as router in VM configured as bridged connection to my ISP modem to reduce multiple NAT) and it worked normally. which is weird... is my problem related to OpenWRT with bridging setup?
update : another weird problem, when using nslookup protonmail.com from my client PC (windows) and my pi-hole server, it resolve name... but nslookup from my OpenWRT failed to resolve the address (ping works however)... all of them using pi-hole dns server.
# Interface lan
nameserver 192.168.1.10
# Interface wan
nameserver 27.50.10.11
nameserver 27.50.10.11
both nslookup from my windows PC and from OpenWRT server use 192.168.1.10 which is my pi-hole DNS server, 27.50.10.11 is DNS given from my ISP (I got private address from my ISP modem).
and this is the one from my windows PC, since my pihole act as dns server and has ability to add cname record (it's in the UI), I set a local cname record (non FQDN of course) for each of my server and router. in this case pihole.lan refers to my pihole server.
if you have a pihole, there's a chance you want(ed) to redirect all DNS calls to it, blocking devices and apps with hardcoded DNSes to use your own DNS.
try changing the nameserver entries in the resolv.conf to 8.8.8.8/8.8.4.4.
I did that before, set my DNS to be authoritative to 192.168.1.10, and to make it more weird this is with protonmail.com domain only, other domain resolve in both openwrt and my windows pc client.
ok will try to change resolv.conf, do I change in lan or wan section? or replace both?
I temp set 8.8.8.8 in resolv.conf (my APs don't have a DNS set up), and I get the same answer in nslookup, but ping works, so I have to assume it's OK.
root@OpenWrt0:~# nslookup www.protonmail.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Name: www.protonmail.com
Address 1: 185.70.41.31
*** Can't find www.protonmail.com: No answer
root@OpenWrt0:~# ping www.protonmail.com
PING www.protonmail.com (185.70.41.31): 56 data bytes
64 bytes from 185.70.41.31: seq=0 ttl=46 time=40.831 ms
Oh I thought that was specific in my case from windows pc the result a bit different. by the way /etc/resolv.conf is symlink from /tmp/resolv.conf right? i just try to put it back together via ln -s /tmp/resolv.conf /etc/resolv.conf
Oh and ping to www.protonmail.com also works normally in my OpenWRT devices which is weird though...
my chrome in android phone use it's own dns server (I think) and it can connect to protonmail.com website even though it use same wifi connection with my laptop (which it can't), but if I change my dns server in windows setting and it still won't connect to protonmail.com, even using other pc which use linux also can't connect to it.
Ok update, I replaced the OpenWrt in my VM with OpnSense with same IP address. Both DNS and DHCP server are unchanged using Pi-Hole in other VM... ProtonMail now accessible and also several website which previously shown incomplete (some css not loaded) now looks good.
I'm quite baffled since I didn't replace any of the DNS and DHCP server, so my only suspect is OpenWRT firewall or maybe some sqm settings?