This issue was resolved in the 1.9751 release. This workaround should no longer be necessary.
Quick Links
This is the thread originated from https://help.firewalla.com/hc/en-us/community/posts/13833713961363
Issue
Some customers have noticed the following when using the PayPal mobile app with MFA:
Where the screen after Log In, which should show the MFA flow, is not loading so PayPal login is blocked.
Causes
There are two issues here.
- PayPal tries to access the site "undefined.lan" during the MFA process. If they can't get a response from DNS lookup of "undefined.lan", the MFA login fails. This is very unusual and we do not understand why they are doing this. This may be a PayPal JavaScript bug.
- In 1.975 we added the feature to blackhole LAN-based DNS lookups to unknown domains. This protects the system from DNS overload of devices constantly querying for unknown domains. (For example, we have seen IoT devices like cameras constantly bombard the Firewalla DNS with unknown queries, the only way to stop them is to NOT send NXDOMAIN response).
PayPal however requires the NXDOMAIN
response to this "undefined.lan" and our "no response" is breaking PayPal's MFA login. Why Paypal app is requesting information from "undefined.lan" is likely a bug.
This breakage can be seen here https://help.firewalla.com/hc/en-us/community/posts/13833713961363/comments/14011091707027
Workaround
For now, you can get around this by making a "blocking" rule like the one below where the Domain is undefined.<your_local_domain>
. (Your default local domain is .lan on firewalla unless you change it) See What is the Firewalla local domain and search domain?
Solution
We don't believe we can ask PayPal to change this behavior soon; so in the next release 1.9751 (now released) we will revert back to the behavior of sending NXDOMAIN
(domain does not exist) and then later apps, we will create a configuration to block NXDOMAIN
for cameras to behave correctly.
We may also explore ways to "block undefined.lan" via a target list to resolve this issue temporarily.
Comments
0 comments
Please sign in to leave a comment.