DNSBL Certificate errors

HeMaN

@BBcan177:

You could edit the code and use 0.0.0.0 instead of the DNSBL VIP… but that will also negate any logging capabilities...

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L3609

/usr/local/pkg/pfblockerng/pfblockerng.inc

Change this line #3609:

$domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n";

To:

$domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";

Upcoming version will allow mixing of the DNSBL VIP and 0.0.0.0 so that the domains that are causing these erorrs, can utilize 0.0.0.0 whilst all others use the DNSBL VIP and the logging remains intact…  or if you didn't want to log the blocked alerts....

Hi @BBcan177, thnx for the great work on pfBlockerNG!

I also ran into the issue of the warning about the certificate not belonging to the site and not being trusted.

Did some research on the web and found several statements about using a generic self signed certificate for all redirected traffic, and that the solution would be to create certificates for the domains on the fly with a certificate known/trusted by the users.

I only switched to using pfSense a week ago, and was using an Asus router with wrt-Merlin firmware before.
On this router I also had a "tool" installed for dns based ad-blocking called AB-Solution (https://www.snbforums.com/threads/release-ab-solution-3-6-5-the-ad-blocking-solution.37511/).
The beauty of this tool is amongst others the option to use pixelsrv-tls. This is a 1*1 pixel server also capable of https.
It does also create on-the-fly certificates specific for the https-urls being blocked. (https://github.com/kvic-z/pixelserv-tls)
No more annoying certificate warnings in my browser for any blocked site (after I installed the used CA-certificate of course)

I am absolutely no programmer, but maybe this is something worth to look into if it is possible to incorporate this functionality with pfBlockerNG?
If on the fly certificate creation is possible on a small home router, it should also be possible on a better utilised pfSense system ;)

BBcan177

Thanks for the links… It's not something that I would want for the package... MITM anything is bad in my books :)
I am working on improving this issue… So stay tuned...

HeMaN

@BBcan177:

Thanks for the links… It's not something that I would want for the package... MITM anything is bad in my books :)
I am working on improving this issue… So stay tuned...

OK thnx! I will stay tuned ;)

Just to be sure, it is not mitm that pixelserv-tls is doing.
It is a webserver only serving a transparant 1*1 pixel for requests made to that server (redirected to the pixelserv-tls  ip by dns blocklist), and also capable of generating a certificate for that pixel when the request was made with https.

All traffic that is not dns-blocked/redirected never go through the pixelserv-tls server.

motific

Creating custom certs for domains you don't own is a MITM method.

Not that it would work for google.com as they use HSTS preloading and public-key pinning.  Browser makers bake information about the certificate chain for some sites into the package/installation.  The browser knows about the certs it should be expecting for those sites before a request is even made and will warn the user if the certificate has been tampered with.

Sekrit

@BBcan177:

@bole5

Can you change the code as indicated (utilizing 0.0.0.0) and see if that fixes your cert errors. I don't have many Apple devices to test with, so any help testing would be appreciated. Will need to run a "Force Reload - DNSBL" for it to take effect.

Any other users feedback welcome also…

Thanks!

Hi BBcan,
I was able to fix the certificate invalid errors in Safari by editing the pfblockerng.inc. Is this a one time fix or needs to be done on every update?  Could you create a GUI option for this very annoying problem for Safari users? 
Thanks

BBcan177

@Sekrit:

Could you create a GUI option for this very annoying problem for Safari users?

It's already in the beta of the next release… stay tuned!

Sekrit

After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

BBcan177

@Sekrit:

After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default… The next release should have this fix built-in...

SLIMaxPower

I followed this guide and dropbox is refused to connect.

DNSBL

May 28 14:34:43 Unknown Unknown   www.google-analytics.com 
  Not available for HTTPS alerts

May 28 14:19:03 Unknown Unknown   www.dropbox.com 
  Not available for HTTPS alerts

both show the domains are in the whitelist.

If and Source and Unknown and list shows no match.

BBcan177

Can you post a screenshot of the Whitelist and the Alerts Tab showing these blocked domains.

SLIMaxPower

Currently the domains are whitelisted in the custom domain whitelist. Is this correct or should they go in the TLD whitelist

BBcan177

@SLIMaxPower:

Currently the domains are whitelisted in the custom domain whitelist. Is this correct or should they go in the TLD whitelist

The Custom Domain Whitelist is used to "whitelist" domains…

The TLD Whitelist is only used in combination with TLD Blacklist… An example of that would be where you want to block all "ru" domains with TLD Blacklist, but you want to allow certain ru domains to get thru.

GoldServe

What is the option to not serve up a https image to avoid certificate errors in 2.1.1_8?

Matze_

[ DNSBL FAIL ] [ Skipping : SuspiciousDomains ]

What feed URL are you using? There are three options available:

https://isc.sans.edu/feeds/suspiciousdomains_High.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt

Otherwise check that you didn't copy/paste the new patched line incorrectly…

Sekrit

@BBcan177:

@Sekrit:

After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default… The next release should have this fix built-in...

BBcan,
Just installed the next release and certificate error has returned.  :(

BBcan177

@Sekrit:

@BBcan177:

@Sekrit:

After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default… The next release should have this fix built-in...

BBcan,
Just installed the next release and certificate error has returned.  :(

Sorry to get your hopes up… but the last release was just a small patch...  Not quite finished with it yet...

kjstech

The firewall rule worked!  I changed my DNSBL SSL port to 8082 though since I have a Unifi controller running on my pfsense box on 8443.

kvic

@BBcan177:

Thanks for the links… It's not something that I would want for the package... MITM anything is bad in my books :)
I am working on improving this issue… So stay tuned...

You can decide what to include in your package. But pixelserv-tls is not MITM blah.

kvic

@motific:

Creating custom certs for domains you don't own is a MITM method.

Not that it would work for google.com as they use HSTS preloading and public-key pinning.  Browser makers bake information about the certificate chain for some sites into the package/installation.  The browser knows about the certs it should be expecting for those sites before a request is even made and will warn the user if the certificate has been tampered with.

First time I hear such a definition of MITM. Maybe you have a point. Perhaps blocking ad by poisoning DNS record shall be in this category too.

Your understanding of HSTS and what's built in chrome/firefox doesn't seem right to me.

Velcro

Just my 2 cents not sure of implications but since upgrading to IOS 11.0.3(including the 3 IOS updates in the last 2-3 weeks), I used to get a pop-up's on my iPhone safari…now I get a "safari cannot open...could not establish a secure connection...".

In firefox on Linux I got redirected to a certificate error...went thru and made an exception...now I get the 1x1 pixel page.

I'll take a cert error or 1x1 pixel page...just no spying!!!

I love you BBCAN!