This issue was resolved in the 1.9751 release. This workaround should no longer be necessary.
This is the thread originated from https://help.firewalla.com/hc/en-us/community/posts/13833713961363
Some customers have noticed the following when using the PayPal mobile app with MFA:
Where the screen after Log In, which should show the MFA flow, is not loading so PayPal login is blocked.
There are two issues here.
- In 1.975 we added the feature to blackhole LAN-based DNS lookups to unknown domains. This protects the system from DNS overload of devices constantly querying for unknown domains. (For example, we have seen IoT devices like cameras constantly bombard the Firewalla DNS with unknown queries, the only way to stop them is to NOT send NXDOMAIN response).
PayPal however requires the
NXDOMAIN response to this "undefined.lan" and our "no response" is breaking PayPal's MFA login. Why Paypal app is requesting information from "undefined.lan" is likely a bug.
This breakage can be seen here https://help.firewalla.com/hc/en-us/community/posts/13833713961363/comments/14011091707027
For now, you can get around this by making a "blocking" rule like the one below where the Domain is
undefined.<your_local_domain>. (Your default local domain is .lan on firewalla unless you change it) See What is the Firewalla local domain and search domain?
We don't believe we can ask PayPal to change this behavior soon; so in the next release 1.9751 (now released) we will revert back to the behavior of sending
NXDOMAIN (domain does not exist) and then later apps, we will create a configuration to block
NXDOMAIN for cameras to behave correctly.
We may also explore ways to "block undefined.lan" via a target list to resolve this issue temporarily.