Dnsbl causes iOS apps to hang
-
For awhile I had no issues when using DNSBl to block ads and tracking until it was causing issues with certain apps on my iOS devices. For instance I couldn't run a speedtest on my iPhone, log in to certain apps, or for instance connect to crunchyroll while I was using even the suggested lists. Even when I have no lists enabled does this problem occur. I'm on the latest version of pfSense, pfBlockerNG, and left all the default options on pfBlockernG. Does anyone know what the cause could be? if you're experiencing this issue, or a way around this issue?
-
Review the pfBlockerNG Alerts tab and see which blocked domain could be causing your issue. You can click on the blue infoblock icon in the DNSBL page to get some further debugging instructions.
-
@crisdavid:
For instance I couldn't run a speedtest on my iPhone,
Speedtest:
I hammered (ookla) Speedtest for months on public forums, accusing them of "revengeware" as they were writing their app to falter if it could not display ads. One of their customer support engineers even contacted me. I had to explain to him what pfSense, pfBlockerNG and DNSBL were and how they worked. I sent him screen shots from hotels or Starbucks where his app worked (with ads) and hangup video when I was on my system (without ad access). I sent him at home video "on network" hanging and "on LTE" only working but with ads. Within weeks their new versions stopped hanging. I did go back on the forums and correct my stance based on their current version. I just checked now and its still working fine on my system… running current+ code.I have no issue with any code package running ads and not working if it can't display them, but thought they at least had a responsibility to state so and not just cause their app to hang without warning because of it.
That engineer wrote me back two weeks later to tell me he was building a pfSense system at home.... so he may be reading this. Thanks!
Rick
-
Review the pfBlockerNG Alerts tab and see which blocked domain could be causing your issue. You can click on the blue infoblock icon in the DNSBL page to get some further debugging instructions.
I checked the alerts tab and the page was just blank most of the time when I go over to look at it. What's odd is the fact that this occurs when there are no lists or EasyList enabled.
Speedtest:
I hammered (ookla) Speedtest for months on public forums, accusing them of "revengeware" as they were writing their app to falter if it could not display ads. One of their customer support engineers even contacted me. I had to explain to him what pfSense, pfBlockerNG and DNSBL were and how they worked. I sent him screen shots from hotels or Starbucks where his app worked (with ads) and hangup video when I was on my system (without ad access). I sent him at home video "on network" hanging and "on LTE" only working but with ads. Within weeks their new versions stopped hanging. I did go back on the forums and correct my stance based on their current version. I just checked now and its still working fine on my system… running current+ code.I have no issue with any code package running ads and not working if it can't display them, but thought they at least had a responsibility to state so and not just cause their app to hang without warning because of it.
That engineer wrote me back two weeks later to tell me he was building a pfSense system at home.... so he may be reading this. Thanks!
Rick
See in my case I paid for ad removal and when I first started pfBlockerNG I didn't see this issue until after awhile then I started to notice the hang within apps like Speed test
-
If you are not seeing any Alerts that's not a good sign. Do you have a multi Lan segmented network? If so enable the DNSBL permit rule option to auto create a Floating permit rule to allow all LAN subnets to access the DNSBL VIP.
Can all your Lan devices ping the DNSBL VIP address? If not, that can cause browser timeouts.
-
I only have one LAN network that's not segmented. My LAN devices can ping the DNSBL VIP address but there's nothing appearing in the alerts tab. If it helps I leave everything default and followed this guide here https://www.fredmerc.com/2016/07/pfsense-adblock-using-pfblockerng-guide/ but regardless if I enable DNSBL it causes issues with iOS apps hanging even if theres no lists enabled.
-
Which Feeds are you using in DNSBL?
-
I use the three suggested ones yoyo, SomeoneWhoCares, and Adaway
-
@crisdavid:
I use the three suggested ones yoyo, SomeoneWhoCares, and Adaway
With those lists enabled, try to browse to:
http://101com.com
This should be blocked and logged to the Alerts Tab. If not, then your LAN devices might not have their DNS settings configured properly…
Also this command should return the DNSBL VIP address:
host -t A 101com.comor for Windows:
nslookup 101com.com -
So I tried out the command which points back to the DNSBL address but it still unfortunately doesn't show up in the alerts tab. Would adding the VIP address to the DNS Resolver access list properly configure DNSBL?
-
No you don't need to touch the Resolver ACL.
Is the DNSBL VIP address defined as the default to 10.10.10.1? What is your LAN IP network defined as?
For your LAN devices, did you define the DNS server settings to point only to the pfSense address? -
Yes VIP is at it's default 10.10.10.1 while my LAN is 192.168.127.x I believe this issue is due to the dns forwarder option being checked within the DNS resolver settings …
-
@crisdavid:
Yes VIP is at it's default 10.10.10.1 while my LAN is 192.168.127.x I believe this issue is due to the dns forwarder option being checked within the DNS resolver settings …
No that won't make a difference. DNSBL can use the DNS Resolver in "Resolver" or "Forwarder" mode…. It just can't use the DNS Forwarder (DNSMasq).
Do you have any other Firewall Rule Limiters or other NAT rules that might be interfering?
-
If it makes it easier I've included my limiter and NAT settings. The limiter is only meant to distribute my bandwidth evenly between devices to prevent one device from consuming most of the bandwidth.
-
@crisdavid:
If it makes it easier I've included my limiter and NAT settings. The limiter is only meant to distribute my bandwidth evenly between devices to prevent one device from consuming most of the bandwidth.
Have you tried pfSense 2.4 as I believe there are some fixes for Limiters in that version… Maybe someone whos using DNSBL and Limiters will chime in... As a test, if you disable the limiters, does that fix your timeout issues?
-
Still testing out this issue but turned off the limiters and it worked fine. Turned back on limiters with DNSBL and it's working for now. I killed the states as well but haven't done a reboot to verify it won't happen again should the system go down. If the problem resurfaces I may just jump to the version 2.4 in hopes it resolves this issue. Good news I saw that now I'm getting alerts! :)
-
Maybe the issue previously was that the Limiters Rules were above the DNSBL NAT rules. First rule wins…
-
Maybe the issue previously was that the Limiters Rules were above the DNSBL NAT rules. First rule wins…
You know what? The difference between my network and my fathers is the fact I had hybrid outbound NAT rules while he had Manual outbound NAT rules. I've wondered about this and can now see why/how using hybrid mode could cause issues as opposed to manual. Thank you for your help!
-
If anyone else is having the same issue I was having with pfblockerNG while having a traffic shaper (especially with this method) https://forum.pfsense.org/index.php?topic=63531.0
I was able to completely resolve this issue by upgrading to the 2.4 beta (at the time I'm posting this) and was able to have no issues with my iOS devices loading web pages slow or certain apps hanging.
