Why can't I reach my subdomains on one machine, but can on another?

Associate
Joined
18 Jun 2020
Posts
382
Location
Warminster
Hey folks - this is a bit of a weird one (to me anyway). I'd appreciate some advice!

I have three laptops, the first being my work Windows laptop, the second being a personal Windows laptop, and the third being a new personal MacBook Pro. What I'm finding is that I can access my subdomains on both Windows laptops, but not on my MBP. For example, I have Bitwarden self-hosted at bitwarden.DOMAIN.co.uk. I can access Bitwarden on both Windows laptops, but if I try to access on my MBP it throws up errors. The same applies to other subdomains, such as pihole.DOMAIN.co.uk.

Something which might help diagnose the issue is that when trying to access pihole.DOMAIN.co.uk, the error message I get is "the certificate for this site is invalid", and when I click to accept the risk and visit the site, it takes me to my router's homepage, but with the correct address in the address bar, albeit suffixed with additional info (i.e. the browser tab is called UniFi OS, and the address bar shows https://pihole.domain.co.uk/login?redirect=/admin/login.php)

What I find odd about the above example is that my reverse DNS is handled by Nginx Proxy Manager, in which the Pihole proxy host is configured as http://pihole.DOMAIN.co.uk, rather than https://pihole.DOMAIN.co.uk

However, the same happens when I try to access subdomains which do have SSL certificates, such as https://synology.domain.co.uk

Any ideas what's going on? More than likely something I'm completely overlooking, but it would be good to know what this is!
 
Does the MBP resolve bitwarden.domain.co.uk correctly? When you say access, are you referring only to HTTP/HTTPS access? What about SSH or something else?
Thanks @the-evaluator for your reply...

No it doesn't, this is the issue

Access to me = stick it in the address bar of a browser and expect to reach the site (e.g. my Bitwarden vault or my Pihole dashboard)

In terms of SSH, I can SSH into the hosts (Pi's running on 192.168.1.100 and 192.168.1.200), is that what you mean?
 
Sounds like a DNS issue to me. Is the Macbook using DoH? What browser(s) have you tried?

I was asking about something other than HTTP/HTTPS to see if it's a browser problem. Can you SSH into something from the MBP using the FQDN or can you only do it by IP address?
 
Last edited:
Sounds like a DNS issue to me. Is the Macbook using DoH?
I haven't set up anything specific on the MBP, the DNS is my Pihole which runs Unbound

What browser(s) have you tried?
OK, so just testing a bit more...it doesn't work in DuckDuckGo browser, it does work in Safari, it doesn't work in Chrome. The Bitwarden app doesn't work (I get an error 'Failed to fetch')

Can you SSH into something from the MBP using the FQDN or can you only do it by IP address?
The only things I ever SSH into are my Pi's and my router (UDM-Pro), none of which I'd ever use an FQDN to access. What else could I try to SSH into? I'm happy to try anything :)
 
OK, so just testing a bit more...it doesn't work in DuckDuckGo browser, it does work in Safari, it doesn't work in Chrome. The Bitwarden app doesn't work (I get an error 'Failed to fetch')

Sounds like DuckDuckGo & Chrome are using DNS over HTTPS (DoH) so the DNS queries are being resolved externally. Go to https://one.one.one.one/help/ in each browser and see what it says there.

The only things I ever SSH into are my Pi's and my router (UDM-Pro), none of which I'd ever use an FQDN to access. What else could I try to SSH into? I'm happy to try anything :)

Setup an A record to something else internally (a Pi maybe?) and see if you can SSH by FQDN. I'm trying to work out what's broken, but I'm fairly sure it's DoH causing it
 
I'm trying to work out what's broken, but I'm fairly sure it's DoH causing it
Seems like it could actually be a cert error...

A networking friend suggested running openssl s_client -connect synology.domain.co.uk:443 on my MBP and the result was:
depth=0 CN = unifi.local
verify error:num=18:self signed certificate
 
Just throwing this out there, but would mDNS be causing the DNS issue? I'm frantically Googling, and came across mDNS as the cause of something vaguely similar

mDNS is enabled on my UDM-Pro. I have a LAN network (VLAN ID 1) and an IoT network (VLAN ID 10). Do I need mDNS to allow devices on LAN to communicate with devices on IoT? Advice on a forum post (albeit 7yrs old) I found says this "If you don't know why you'd need it, then you don't". I don't really understand why I'd need it, though I appreciate that having 2 VLANs isn't what Joe Public does, but pretty common for those frequenting this forum! I'm therefore stuck between a rock and a hard place in knowing whether my set-up requires it
 
Seems like it could actually be a cert error...

A networking friend suggested running openssl s_client -connect synology.domain.co.uk:443 on my MBP and the result was:
depth=0 CN = unifi.local
verify error:num=18:self signed certificate

What's the IP address of synology.domain.co.uk? If you open a Terminal on the MBP and 'ping synology.domain.co.uk' what IP address is returned?
 
@the-evaluator In between our last posts and now, I've been away, had Covid, now back with the bit between my teeth!

I had a bit of a eureka moment last night, where I made a realisation...the problem vanishes as soon as I turn on a VPN.

What I was finding is that the issue was spreading to all my devices, so whereby my iPhone had previously been unaffected, it was showing the same signs of not being able to log into Bitwarden. I then realised that my personal Windows laptop was running a VPN, so thought I'd try turning on the VPN on my iPhone, and voila!

So, all devices work as expected when VPN is on. No devices work as expected when VPN is off. (My work laptop is kinda 'odd' in so much as it runs a split-tunnel VPN for work purposes)

I have tried manually altering the DNS settings on my iPhone to 8.8.8.8 and 9.9.9.9, but no luck. Therefore perhaps not a DNS issue?
 
With the VPN on the traffic is going from your client -> VPN endpoint -> your WAN IP. With the VPN off it's trying to hit the WAN IP directly from the local client. So with the VPN on traffic is hitting the WAN interface from the public internet rather than coming from your LAN IP subnet.

It sounds like it's port forwarding/an ACL on your router perhaps. Is hairpinning enabled?
 
Have you changed router or firmware at some point?

Back when I ran my UniFi controller on a VM at home I had this sort of problem where I couldn't access unifi.mydomain.com internally but could externally (so the as you when you have the VPN active). It was some years ago but I think the workaround was a firewall rule with source IP range of my LAN subnet. I may have some screenshots saved, I'll see if I can find them.
 
Have you changed router or firmware at some point?
Haven't changed my router (UDM-Pro) since 18mths ago. As for firmware, I'd have to check the logs, but I can't remember a recent update.

This does look suspiciously like something related to my router. Just tried accessing it via unifi.ui.com and can't. Also tried on my phone, via the UniFi app, on 4G and can't. I can access it internally though, so at least I have that!
 
Back
Top Bottom