DNSBL is no longer working normally

pftdm007

First the obvious: packages and pfsense versions:

2.5.2-RELEASE (amd64)
built on Fri Jul 02 15:33:00 EDT 2021
FreeBSD 12.2-STABLE

pfBlockerNG-devel		net 	3.1.0

Hello,

I just discovered some issues with DNSBL. First it is NOT blocking certain domains and sites contained in DNSBL "groups".

I believe this occurs when sites are accessed via https (SSL) but its difficult to know since the behavior of DNSBL is really weird.

For example, trying to access "facebook.com", I get

Secure Connection Failed

An error occurred during a connection to facebook.com. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

while I can see the "https" part in the address bar...

If I hit "Try Again" on the page (using Firefox), I get

Hmm. We’re having trouble finding that site.

We can’t connect to the server at facebook.com.

If that address is correct, here are three other things you can try:

Try again later.
Check your network connection.
If you are connected but behind a firewall, check that Firefox has permission to access the Web.

Why am I not getting the DNSBL blocked page? This page used to appear whenever a blocked top domain was accessed (with OR without the https part of the address...).

Another example is "pinterest.com" which is in a DNSBL "Custom_List"...

Manually entering "pinterest.com" in Firefox opens up Pinterest's page no problem. Nothing is blocked.

Not sure when this got broken but a year ago (or so) it used to work flawlessly.

What next?

Gertjan

@pftdm007 said in DNSBL is no longer working normally:

Why am I not getting the DNSBL blocked page?

You can't.
Your PC / browser has probably already cached the cert, and won't accept the answer from the local pfBlockerNG web server that should show the "blocked page" with a unknown - auto signed - non trusted cert.
This web server from pfBlockerNG doesn't have the cert of facebook.
Your browser wants a cert that say that it is facebook => the browser bails out to protect you.

Remember : this time it's facebook, next time it's your bank web site.

The "DNSBL blocked page" to inform you that a site is blocked works fine .... for "http" sites, not https.

edit : Facebook uses this https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security and your browser knows it (cached the cert of facebook for a year or so) so, so it can't be 'fooled'.
And keep in mind : The pfBlockerNG's blocked page web server is a MITM attack, and you don't want that ;)

Also : http sites don't really exist anymore.

pftdm007

@gertjan Okay for the blocked page not showing up for https... Make sense but I have flashbacks of this working in the past.. Maybe I'm wrong..

But what about the sites not being blocked? This is the biggest issue by far making DNSBL effectively broken and useless for me.

Another example: I have a DNSBL group named "Social" for social networks I want to block access to. This "group" has NO source definitions (see screenshot) and I manually entered all domains in the "DNSBL Custom_List" (see screenshot).

This DNSBL group worked flawlessly in the past. Trying to access any of the domains contained in this group gave a DNSBL blocked page in the web browser. Same for all other DNSBL groups.

Not sure when DNSBL got broken but I suspect in the last package update or system update. For sure, last year everything was working just fine.

EDIT: I looked in my personal notes and found that I reported something very similar back in 2016 where @BBcan177 mentioned that the TLD feature was going tobe added to subsequent releases to solve this issue.

see post

TLD's checkbox is ticked. Any chance it is broken?

Gertjan

@pftdm007
When you do an nslookup, for example on about.me (the first you listed), what IP does it get back ?

pftdm007

@gertjan

workstation@workstation:~$ nslookup about.me
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	about.me
Address: 10.10.10.1

But when I enter "about.me" in my web browser, I get their webpage as if nothing was blocked.

Gertjan

@pftdm007 said in DNSBL is no longer working normally:

But when I enter "about.me" in my web browser, I get their webpage as if nothing was blocked.

Your browser could have cached the 'correct' answer; so it won't do a DNS lookup.
Or, your browser uses it's own DoH or DoT lookup, forwarding over TLS to some external resolver, totally bypassing your local pfSense.

pftdm007

@gertjan

Okay I found the issue.

Apparently a few months ago Mozilla has made "CIRA Canadian Shield" the default option for DNS over HTTPS in Firefox's proxy settings hence bypassing pfsense's DNS resolver completely and rendering it completely useless.

Link Here

I find this very frustrating that stuff keeps being changed like that. What's the point of having a strong, well configured "firewall" like pfsense to protect and control incoming/outgoing traffic to your network only to have a simple browser setting bypass everything? Am I missing something here ?

Gertjan

@pftdm007 said in DNSBL is no longer working normally:

Am I missing something here ?

Maybe this :

Whatever you set here about:config (URL in Firefox) will retain, even after updates.
So switch DoH of over there, and you'll be fine.
If not, Firefox will use DoH, they do so on a new install for while now, at it is undeniable safer for the end user.