Curl -v https://authserver.mojang.com failed

This is my current setup with VyOS 2025.06.24-0020-rolling: but I can’t get “dig +short hттps://d1fw3h4w8htlic.cloudfront.net – curl -v hттps://authserver.mojang.com” to work correctly? Can anyone, less of a novice than me, help me? I’d be grateful. "

vyos@vyos:~$ show configuration commands | strip-private
set firewall group address-group internal_servers address 'xxx.xxx.1.100'
set firewall group address-group internal_servers address 'xxx.xxx.1.101'
set firewall group address-group soporte address 'xxx.xxx.14.109'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 inbound-interface name 'eth0'
set firewall ipv4 forward filter rule 10 jump-target 'WAN_IN'
set firewall ipv4 forward filter rule 20 action 'jump'
set firewall ipv4 forward filter rule 20 inbound-interface name 'eth1'
set firewall ipv4 forward filter rule 20 jump-target 'LAN_IN'
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 inbound-interface name 'eth0'
set firewall ipv4 input filter rule 10 jump-target 'WAN_LOCAL'
set firewall ipv4 input filter rule 20 action 'jump'
set firewall ipv4 input filter rule 20 inbound-interface name 'eth1'
set firewall ipv4 input filter rule 20 jump-target 'LAN_LOCAL'
set firewall ipv4 input filter rule 99999 action 'accept'
set firewall ipv4 input filter rule 99999 description 'Allow localhost input'
set firewall ipv4 input filter rule 99999 inbound-interface name 'lo'
set firewall ipv4 input filter rule 99999 source address 'xxx.xxx.0.0/8'
set firewall ipv4 name LAN_IN default-action 'drop'
set firewall ipv4 name LAN_IN description 'LAN to WAN forwarded traffic'
set firewall ipv4 name LAN_IN rule 10 action 'accept'
set firewall ipv4 name LAN_IN rule 10 description 'Allow established/related'
set firewall ipv4 name LAN_IN rule 10 state 'established'
set firewall ipv4 name LAN_IN rule 10 state 'related'
set firewall ipv4 name LAN_IN rule 20 action 'accept'
set firewall ipv4 name LAN_IN rule 20 description 'Allow all outbound traffic from LAN to WAN'
set firewall ipv4 name LAN_IN rule 20 protocol 'all'
set firewall ipv4 name LAN_IN rule 20 source address 'xxx.xxx.1.0/24'
set firewall ipv4 name LAN_LOCAL default-action 'accept'
set firewall ipv4 name LAN_LOCAL description 'LAN to router traffic'
set firewall ipv4 name LAN_LOCAL rule 10 action 'accept'
set firewall ipv4 name LAN_LOCAL rule 10 description 'Allow established/related'
set firewall ipv4 name LAN_LOCAL rule 10 state 'established'
set firewall ipv4 name LAN_LOCAL rule 10 state 'related'
set firewall ipv4 name WAN_IN default-action 'drop'
set firewall ipv4 name WAN_IN description 'WAN to LAN traffic (Port Forwarding)'
set firewall ipv4 name WAN_IN rule 10 action 'accept'
set firewall ipv4 name WAN_IN rule 10 description 'Allow established/related'
set firewall ipv4 name WAN_IN rule 10 state 'established'
set firewall ipv4 name WAN_IN rule 10 state 'related'
set firewall ipv4 name WAN_IN rule 20 action 'accept'
set firewall ipv4 name WAN_IN rule 20 description 'Allow HTTP/HTTPS to Web Server'
set firewall ipv4 name WAN_IN rule 20 destination group address-group 'internal_servers'
set firewall ipv4 name WAN_IN rule 20 destination port '80,443'
set firewall ipv4 name WAN_IN rule 20 protocol 'tcp'
set firewall ipv4 name WAN_IN rule 30 action 'accept'
set firewall ipv4 name WAN_IN rule 30 description 'Allow Minecraft server'
set firewall ipv4 name WAN_IN rule 30 destination group address-group 'internal_servers'
set firewall ipv4 name WAN_IN rule 30 destination port '25565'
set firewall ipv4 name WAN_IN rule 30 protocol 'tcp'
set firewall ipv4 name WAN_LOCAL default-action 'drop'
set firewall ipv4 name WAN_LOCAL description 'WAN to router traffic'
set firewall ipv4 name WAN_LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall ipv4 name WAN_LOCAL rule 10 state 'established'
set firewall ipv4 name WAN_LOCAL rule 10 state 'related'
set firewall ipv4 name WAN_LOCAL rule 15 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 15 description 'Allow DNS TCP responses'
set firewall ipv4 name WAN_LOCAL rule 15 destination port '53'
set firewall ipv4 name WAN_LOCAL rule 15 protocol 'tcp'
set firewall ipv4 name WAN_LOCAL rule 15 state 'established'
set firewall ipv4 name WAN_LOCAL rule 16 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 16 description 'Allow DNS UDP responses'
set firewall ipv4 name WAN_LOCAL rule 16 destination port '53'
set firewall ipv4 name WAN_LOCAL rule 16 protocol 'udp'
set firewall ipv4 name WAN_LOCAL rule 16 state 'established'
set firewall ipv4 name WAN_LOCAL rule 20 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 20 description 'Allow remote admin SSH'
set firewall ipv4 name WAN_LOCAL rule 20 destination port '22222'
set firewall ipv4 name WAN_LOCAL rule 20 protocol 'tcp'
set firewall ipv4 name WAN_LOCAL rule 20 source group address-group 'soporte'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 99999 action 'accept'
set firewall ipv4 output filter rule 99999 description 'Allow localhost output'
set firewall ipv4 output filter rule 99999 destination address 'xxx.xxx.0.0/8'
set firewall ipv4 output filter rule 99999 outbound-interface name 'lo'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:10'
set interfaces ethernet eth1 address 'xxx.xxx.1.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:ca'
set nat destination rule 10 description 'Web Server HTTP'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface name 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address 'xxx.xxx.1.100'
set nat destination rule 20 description 'Web Server HTTPS'
set nat destination rule 20 destination port '443'
set nat destination rule 20 inbound-interface name 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address 'xxx.xxx.1.100'
set nat destination rule 30 description 'Minecraft Server'
set nat destination rule 30 destination port '25565'
set nat destination rule 30 inbound-interface name 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address 'xxx.xxx.1.101'
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address 'xxx.xxx.1.0/24'
set nat source rule 100 translation address 'masquerade'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.0.1
set service dhcp-server listen-interface 'eth1'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 lease '259200'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 option default-router 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 option domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 option name-server 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 range 0 start 'xxx.xxx.1.200'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 range 0 stop 'xxx.xxx.1.250'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.1.0/24 subnet-id '1'
set service dns forwarding allow-from 'xxx.xxx.1.0/24'
set service dns forwarding cache-size '10000'
set service dns forwarding listen-address 'xxx.xxx.1.1'
set service dns forwarding name-server xxx.xxx.9.10
set service dns forwarding name-server xxx.xxx.14.14
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/8'
set service ntp allow-client xxxxxx 'xxx.xxx.1.0/24'
set service ntp listen-address 'xxx.xxx.1.1'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh port '22222'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system ipv6 disable-forwarding
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.8.8'
set system option reboot-on-upgrade-failure '5'
set system syslog local facility all level 'info'
set system syslog local facility local7 level 'debug'

Your problem is almost certainly this:

set firewall ipv4 forward filter default-action 'drop'

Seeing as you don’t have any other rule that allows traffic from your LAN to your WAN, any return traffic is going to get dropped.

You should change that to allow and have strict rules on your incoming firewall rules to ensure you only let in what you or. Or create some firewal rules for outbound traffic if you really want to be strict about it.

Default action drop should be used for security reasons.

Then you should add the flows you want to allow.

But sure as a troubleshoot you could change that to allow but dont forget to change it back to drop once you figured out what the root cause is.

Hello! tjh - Apachez

I truly appreciate your help and perspective. I understand that ‘set firewall ipv4 forward filter default-action ‘drop’’ is a common cause of connectivity issues.

However, in my configuration, I have already implemented specific rules to allow LAN-to-WAN traffic and its return, while maintaining default security. My LAN clients can already access the Internet without problems, which confirms these rules are functioning as intended.

Allow me to show you the relevant parts of my configuration that enable this:

– Forward Filter –

set firewall ipv4 forward filter default-action ‘drop’
set firewall ipv4 forward filter rule 10 action ‘jump’ inbound-interface name ‘eth0’ jump-target ‘WAN_IN’
set firewall ipv4 forward filter rule 20 action ‘jump’ inbound-interface name ‘eth1’ jump-target ‘LAN_IN’

– LAN_IN Policy (for LAN to WAN traffic) –

set firewall ipv4 name LAN_IN default-action ‘drop’
set firewall ipv4 name LAN_IN rule 10 action ‘accept’ description ‘Allow established/related’ state ‘established’ state ‘related’
set firewall ipv4 name LAN_IN rule 20 action ‘accept’ description ‘Allow all outbound traffic from LAN to WAN’ protocol ‘all’ source address ‘10.0.1.0/24’

– WAN_IN Policy (for return traffic from WAN to LAN) –

set firewall ipv4 name WAN_IN default-action ‘drop’
set firewall ipv4 name WAN_IN rule 10 action ‘accept’ description ‘Allow established/related’ state ‘established’ state ‘related’

The persistent issue I’m facing is specific to DNS resolution for ‘authserver.mojang.com’ and its CNAME 'd1fw3h4w8htlic.cloudfront.net'.

I have performed the following tests, which suggest a problem beyond firewall rules:

  1. dig authserver.mojang.comworks and returns the CNAME.

  2. However, ‘dig +short d1fw3h4w8htlic.cloudfront.net’ (the final CNAME) RETURNS NOTHING (ANSWER: 0) , even when forcing TCP (e.g., 'dig @1.1.1.1 +tcp +short d1fw3h4w8htlic.cloudfront.net').

  3. 'curl -v [https://authserver.mojang.com](https://www.google.com/url?sa=E&q=https%3A%2F%2Fauthserver.mojang.com)' fails with ‘Could not resolve host’, indicating a DNS resolution failure, not a connection issue.

  4. 'curl -v [https://google.com](https://www.google.com/url?sa=E&q=https%3A%2F%2Fgoogle.com)' WORKS perfectly , establishing a full HTTPS connection.

  5. This exact same resolution problem for 'd1fw3h4w8htlic.cloudfront.net' also occurs on another client machine in my network (‘xxx-demo1’) , which suggests the issue is not exclusive to my VyOS instance.

Given these results, the problem appears to be a very unusual and specific failure in resolving this particular Cloudfront CNAME. It’s not a general DNS or connectivity issue for my VyOS or my network.

To help diagnose this further, would anyone in the community be able to run the following command from a VyOS instance in their lab or network, and share the output? This would be immensely helpful in determining if this is a localized issue or a broader behavior.

dig @1.1.1.1 +short d1fw3h4w8htlic.cloudfront.net

If that isn’t intentional, I would say you have a broader DNS issue then: I get the same results from my desktop.

dig @1.1.1.1 d1fw3h4w8htlic.cloudfront.net                                                                                                                                   ✔ 

; <<>> DiG 9.20.10 <<>> @1.1.1.1 d1fw3h4w8htlic.cloudfront.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24463
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;d1fw3h4w8htlic.cloudfront.net. IN      A

;; AUTHORITY SECTION:
cloudfront.net.         60      IN      SOA     ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60

;; Query time: 55 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Jun 26 15:37:30 AWST 2025
;; MSG SIZE  rcvd: 125

09:40 vyos@gw 1.4.2 /home/vyos
0» dig @1.1.1.1 d1fw3h4w8htlic.cloudfront.net

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @1.1.1.1 d1fw3h4w8htlic.cloudfront.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14047
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;d1fw3h4w8htlic.cloudfront.net. IN      A

;; AUTHORITY SECTION:
cloudfront.net.         60      IN      SOA     ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Jun 26 09:40:46 CEST 2025
;; MSG SIZE  rcvd: 125

0» dig @1.1.1.1 +tcp d1fw3h4w8htlic.cloudfront.net

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @1.1.1.1 +tcp d1fw3h4w8htlic.cloudfront.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54148
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;d1fw3h4w8htlic.cloudfront.net. IN      A

;; AUTHORITY SECTION:
cloudfront.net.         60      IN      SOA     ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60

;; Query time: 27 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (TCP)
;; WHEN: Thu Jun 26 09:43:02 CEST 2025
;; MSG SIZE  rcvd: 125