rDNS, how?

drkt@feddit.dk to Selfhosted@lemmy.world – 18 points –

I'm on at least 2 blocklists at this point for the crime of not having reverse DNS set up. I don't know how rDNS works. No amount of reading Wikipedia is helping me understand what I have to do.

  • I have a domain at a registrar which gives me bog standard DNS.
  • I have Apache running on my network.
  • I have PiHole running on my network.

My understanding is that rDNS is not set up at my registrar, but somewhere in my network. What do I do?

Thank you for your time.

47

rDNS is something that is not set up by your domain registrar. It's set up by your ISP or cloud VM provider.

This is usually done by owner of the IP address block. If this is for a VPS or similar it will be your hosting provider. If you get a static IP from your internet service provider you will have to speak to them. Although depending on the policy of the provider this may be a business option only.

You are right, more specifically in case anyone is curious it usually has to be whomever owns the public IP addresses because that is who would own the reverse zone for that IP block according to the internet root dns servers in most circumstances. In OPs case you are probably right, this is probably the VPS provider but not always.

Thank you so much. Luckily my ISP has been nice so far, I guess we'll see.

Are you actually trying to send mail from your own smtp server? You mention apache and pihole which are completely unrelated.

No emails just routing issues.

Copy pasted but I have routing issues that neither my ISP nor the people who suffer from it can pinpoint. I’m so far down this rabbit hole that I’m assuming my IP got on a blacklist that’s sitting on some random networking infrastructure and I’m just trying to resolve all blacklist issues on the off chance that it works.

rDNS won't really help with that, it's just a DNS lookup that ties your IP to a hostname, typically used for mail server spam controls.

I'm desperate.

Have you done any traceroute runs when the issue is happening to try and diagnose where the routing issue is occurring?

Copied this from another comment I made

A number of people can’t route to me at all. My domain is drkt.eu and sits on port 80 and 443 @ 89.150.135.135 and 2a05:f6c7:8039::1337

IPv6 is not big in my country, and I don’t think anyone afflicted has IPv6 so I can’t tell you if this affects both v4 and v6.

It’s not a DNS issue, as the afflicted users can get the correct IPs from nslookup.

Mullvad VPN users are consistently unable to route to me.

One friend can’t route to me from his workplace network. It’s a small network and their admin claims they don’t block anything so it’s a mystery to him as well.

Another friend across town can’t reach my network despite being so close to me hop-wise, but his network is run by wacks and is consequently also quite wack. I can’t confidently say this is the same issue.

I’m not dropping any connections for any reason. My ISP claims they aren’t doing any blocking of domains or IPs.

Traceroutes time out at consistent hops but it’s different per afflicted network. The only recurring name has been costumer.tdc.net

It might not be related, but I can’t route to catbox.moe and their admin says my IPs are not blacklisted in any of their systems.

Do you have a different firewall/router you can try? Even just plug your PC directly into the modem for now to bypass your router and rule that out.

Routing to me has been solved, my router was incorrectly dropping pings on WAN because I messed up the firewall configs. The trouble users still can't reach my website.

Your ISP may block 80 / 443. Try moving your webserver to an alternate high port and ask the users to test with that.

But it's only very few people. If my ISP blocks these ports, why 99% of people have no issues?

At this point I'd install wireshark and see if I'm getting their TCP connections at all.

Given your other routing issues though, I would guess you have another config issue on your firewall.

  5.186.33.87 > 89.150.135.135: ICMP echo request, id 1, seq 43476, length 40
12:38:19.843890 d0:50:99:81:48:17 > 4c:6d:58:4a:97:d4, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 21715, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 0 (->1dc0)!)
    89.150.135.135 > 5.186.33.87: ICMP echo reply, id 1, seq 43476, length 40
12:38:20.219177 d0:50:99:81:48:17 > 4c:6d:58:4a:97:d4, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 32958, offset 0, flags [none], proto ICMP (1), length 29, bad cksum 0 (->3f6d)!)

Packet capture from the router for 4 pings from him to me. 2 of 8 packets expected were captured and have bad checksums. Disregard, all 8 expected packets do show up

Can you expand on how you got blocked? First time I’ve heard of this.

I would love to tell you why they do this, but I can't. I can only tell you that they tell me it's because I don't have rDNS

These guys are blocking me http://www.uceprotect.net/en/rblcheck.php "Level 1 HIGH DNS problem WARNING: No Reverse-DNS (PTR) is assigned to your IP"

These guys are blocking a friend of mine who has the same setup as me https://matrix.spfbl.net " No rDNS was found. This IP has been flagged because have none valid FCrDNS. Register a valid rDNS for this IP, which points to the same IP. The rDNS must be registered under your own domain for you be able to delist it."

Are you sending email from your ip?

If not this is irrelevant. Those block lists are only for email related spam filtering.

If you are, don't send email from a home isp

No emails just routing issues.

Copy pasted but I have routing issues that neither my ISP nor the people who suffer from it can pinpoint. I’m so far down this rabbit hole that I’m assuming my IP got on a blacklist that’s sitting on some random networking infrastructure and I’m just trying to resolve all blacklist issues on the off chance that it works.

Blacklists are not your problem.

I'm listening to your suggestions.

Replied in another part of this thread, but basically those blacklists are specific to SMTP and you can just disregard them. They're not related to any sort of network/routing issue you're seeing.

Ugh, uceprotect is the worst of the worst with overly strict rules to encourage paying them to whitelist your IP. Just ignore them.

I want to, but I have routing issues that neither my ISP nor the people who suffer from it can pinpoint. I'm so far down this rabbit hole that I'm assuming my IP got on a blacklist that's sitting on some random networking infrastructure and I'm just trying to resolve all blacklist issues on the off chance that it works.

DNSBL as result of lack of rDNS isn’t going to affect routing. Can you perhaps describe exactly what you’re having, and maybe we can figure out the solution together?

I would pay you money if you can fix this issue.

A number of people can't route to me at all. My domain is drkt.eu and sits on port 80 and 443 @ 89.150.135.135 and 2a05:f6c7:8039::1337

IPv6 is not big in my country, and I don't think anyone afflicted has IPv6 so I can't tell you if this affects both v4 and v6.

It's not a DNS issue, as the afflicted users can get the correct IPs from nslookup.

Mullvad VPN users are consistently unable to route to me.

One friend can't route to me from his workplace network. It's a small network and their admin claims they don't block anything so it's a mystery to him as well.

Another friend across town can't reach my network despite being so close to me hop-wise, but his network is run by wacks and is consequently also quite wack. I can't confidently say this is the same issue.

I'm not dropping any connections for any reason. My ISP claims they aren't doing any blocking of domains or IPs.

Traceroutes time out at consistent hops but it's different per afflicted network. The only recurring name has been costumer.tdc.net

It might not be related, but I can't route to catbox.moe and their admin says my IPs are not blacklisted in any of their systems.

What's your input?

It’s not a DNS issue, as the afflicted users can get the correct IPs from nslookup.

You are correct; looking at the resolutions via Google's toolbox, it seems to be resolving fine.

Traceroutes time out at consistent hops but it’s different per afflicted network. The only recurring name has been costumer.tdc.net

I did a couple of traceroute tests from a couple locations (two data centres, my local WiFi, and via cellular data), and they all seem to end at cpe.ae20-0.khk7nqp8.dk.customer.tdc.net. In teleco terms, cpe usually means "Client/Customer Premise Equipment", so it wouldn't surprise me if that is the address assigned to the network equipment closest to your server's local network (think neighborhood hub, or PON on premise, something super close to the demarcation point). If everyone else is able to get that far, then I'm more inclined to think the drop is happening on your equipment, not your ISP's equipment; but having said that, if this is a residential network (regardless if ISP is provisioning you gigabit connectivity via fibre or whatever), there will always be a likelihood for ISP to be doing more filtering.

If you don't mind, what is the gateway you're using? Is there an ISP gateway and then your own, or straight from ISP equipment into your network? Are there any (single/double) NAT going on? Are there's any security/filtering options on (either) equipment(s)?

I have an ISP issued fiber modem that goes straight into my pfsense box. For IPv4 I have NAT and Firewall, for v6 it's just the firewall. It should be noted that I've been hosting with this setup for years and it wasn't a problem until I got this ISP at this location. I've had this ISP elsewhere without problems and another ISP here where it also wasn't a problem.

The traceroutes getting dropped was a misconfiguration in my firewall on my part, it should work now!

My friend across town can now ping me successfully but going to my website still gives him ERR_CONNECTION_TIMED_OUT in browser.

EDIT ----------

I got another troublesome user to run a quick test with the new firewall config. Also can't reach my website. Pings DO time out for him! Traceroute expectedly also fails, last hop was cpe.ae20-0.khk7nqp8.dk.costumer.tdc.net [87.61.121.169]

From my side, I now see 3 ???s between the CPE and your IP address, which is also responding, so that's great.

Can your friend do something like curl -vvv https://drkt.eu or whatever to see if the time out happens before/after SSL handshake etc.? Also, do they have any firewalls / security appliances configured to filter content? I'd be curious to see dig or nslookup result, ping or traceroute result, and curl -vvv result, just to understand where it is breaking down.

Also, do you have a login to your ISP's equipment? Are you able to set it to bridge mode to bypass it altogether? Just throwing ideas out there, to see if there is anything else on the go. That cpe device is also pretty curious for sure.

Edit: Also, if they can get a response from ping, then it is probably not routing, but something else on the connection to the service / port itself. That's what I'm hoping we can figure out from the various outputs.

Office friend still can't ping me. The campus friend can ping me but can't reach my website. I never trusted campus friend to be on a clean network so it's a bit fruitless to test his connection.

My ISP's equipment is entirely a modem right now, bridging straight to my pfsense router. It's not doing any weird filtering.

Here are the results of those from office friend

Server:  unifi.localdomain
Address:  192.168.0.1

Non-authoritative answer:
Name:    drkt.eu
Addresses:  2a05:f6c7:8039::1337
          89.150.135.135

Tracing route to drkt.eu [89.150.135.135]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  unifi.localdomain [192.168.0.1]
  2     1 ms    <1 ms    <1 ms  5.186.33.65.static.fibianet.dk [5.186.33.65]
  3     4 ms     4 ms     3 ms  89.150.66.104
  4     4 ms     4 ms     4 ms  ae2.core01-tkbg.bb.fibianet.dk [89.150.64.25]
  5     *        *        *     Request timed out.
  6     3 ms     3 ms     3 ms  89.150.69.66
  7     2 ms     4 ms     2 ms  217.74.211.104
  8     3 ms     4 ms     4 ms  194.182.97.132
  9     4 ms     4 ms     3 ms  ae22-0.khk7nqp7.dk.ip.tdc.net [195.215.109.46]
 10     4 ms     4 ms     4 ms  ae1-0.khk7nqp8.dk.ip.tdc.net [83.88.12.15]
 11     3 ms     4 ms     4 ms  cpe.ae20-0.khk7nqp8.dk.customer.tdc.net [87.61.121.169]
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

* Rebuilt URL to: https://drkt.eu/
*   Trying 89.150.135.135...
* TCP_NODELAY set
* connect to 89.150.135.135 port 443 failed: Timed out
* Failed to connect to drkt.eu port 443: Timed out
* Closing connection 0
curl: (7) Failed to connect to drkt.eu port 443: Timed out

--- UPDATE

Office friends pinged me 4 times, all timed out on his end. His IP showed up in my state table and I captured these 2 packets

State table:

Interface Protocol  Source -> Destination            State  Packets 	Bytes 	
WAN 	icmp 	5.186.33.87:1 -> 89.150.135.135:1 	0:0 	4 / 4 	240 B / 240 B 	

Packet capture: (the only 2, despite the 4 pings, and they have bad checksums?) All 8 expected packets show up but all do have bad checksums. I'm seeing a LOT of bad checksums. A known working connection from fourth friend did not show bad checksums in this same test.

    5.186.33.87 > 89.150.135.135: ICMP echo request, id 1, seq 43476, length 40
12:38:19.843890 d0:50:99:81:48:17 > 4c:6d:58:4a:97:d4, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 21715, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 0 (->1dc0)!)
    89.150.135.135 > 5.186.33.87: ICMP echo reply, id 1, seq 43476, length 40
12:38:20.219177 d0:50:99:81:48:17 > 4c:6d:58:4a:97:d4, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 32958, offset 0, flags [none], proto ICMP (1), length 29, bad cksum 0 (->3f6d)!)

He went to my domain while I was collecting packets from ANY protocol filtering his IP It's a bit long, so here's the cap file https://u.drkt.eu/iiUsH7.cap

I've learned that the bad checksums are to to be ignored because it's the NIC that's responsible for it, so tcpdump sees the wrong checksums and it doesn't matter. I have also learned that the Apache container actually does see the incoming connections. Here's an example of my working connection and his connection.

root ~ -> tcpdump -n port 443

## My machine to https://drkt.eu
15:44:50.985650 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [S], seq 2232908482, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
15:44:50.985656 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [S.], seq 1276898910, ack 2232908483, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
15:44:50.985780 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 1, win 8235, length 0
15:44:50.987032 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 1:518, ack 1, win 8235, length 517
15:44:50.987040 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [.], ack 518, win 503, length 0
15:44:50.987333 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 1:4097, ack 518, win 503, length 4096
15:44:50.987566 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 4097, win 8235, length 0
15:44:50.988400 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 4097:5381, ack 518, win 503, length 1284
15:44:50.988531 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 5381, win 8229, length 0
15:44:50.992091 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 518:582, ack 5381, win 8229, length 64
15:44:50.992095 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 582:1087, ack 5381, win 8229, length 505
15:44:50.992173 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [.], ack 1087, win 501, length 0
15:44:50.992274 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 5381:5668, ack 1087, win 501, length 287
15:44:50.992342 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 5668:5955, ack 1087, win 501, length 287
15:44:50.992488 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 5955, win 8235, length 0
15:44:50.993404 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 5955:10902, ack 1087, win 501, length 4947
15:44:50.993647 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 10902, win 8235, length 0
15:44:55.998521 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 10902:10926, ack 1087, win 501, length 24
15:44:55.998547 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [F.], seq 10926, ack 1087, win 501, length 0
15:44:55.998727 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 1087:1111, ack 10926, win 8234, length 24
15:44:55.998733 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 10927, win 8234, length 0
15:44:55.998734 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [F.], seq 1111, ack 10927, win 8234, length 0
15:44:55.998736 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [.], ack 1112, win 501, length 0

## Office dude to https://drkt.eu
15:45:06.759198 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:06.759210 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:07.009444 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:07.009455 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:07.761986 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:07.761994 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:08.011014 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:08.011023 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:08.774730 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:09.030829 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:09.772318 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:09.772327 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:10.020444 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:10.020452 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:11.782726 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:12.038818 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:13.778722 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:13.778730 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:14.026072 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:14.026082 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:18.026717 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:18.282740 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:26.214732 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:26.474741 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:42.342747 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:42.598745 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

We're making progress!

Looks like connection are being made, so it isn't routing after all!

Looking at the first recording, based on the different packet length, I'd guess it is doing SSL handshake properly; whereas the second one seems to be all 0 length and so something is not working out. At least on a cursory glance, your settings seems to be pretty permissive, so unless your friend's using a super old system, it shouldn't be an issue. Do you know what OS your friend is using, and if it has up-to-date root certificates? Are they on a system with openssl cli available? Judging by the unifi network, probably? Try openssl s_client -connect drkt.eu:443 -prexit (and ctrl + c to quit after it stops) and see if you can see any oddities with the SSL handshake process.

6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...

Not sure if any seasoned sysadmin actually use uceprotect blocklist in their network though, so you shouldn't lose sleep over that one.

Some light reading related to uceprotect:

uceprotect.wtf is amazing, thank you

6 more...
6 more...
6 more...
6 more...

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

7 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.

[Thread #72 for this sub, first seen 21st Aug 2023, 20:45] [FAQ] [Full list] [Contact] [Source code]