Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL Certificate errors

    Scheduled Pinned Locked Moved pfBlockerNG
    47 Posts 20 Posters 28.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sekrit
      last edited by

      @BBcan177:

      @bole5

      Can you change the code as indicated (utilizing 0.0.0.0) and see if that fixes your cert errors. I don't have many Apple devices to test with, so any help testing would be appreciated. Will need to run a "Force Reload - DNSBL" for it to take effect.

      Any other users feedback welcome also…

      Thanks!

      Hi BBcan,
      I was able to fix the certificate invalid errors in Safari by editing the pfblockerng.inc. Is this a one time fix or needs to be done on every update?  Could you create a GUI option for this very annoying problem for Safari users? 
      Thanks

      pfSense 2.3.3-p1 (PFblockerNG, Snort, Squid).  VMware on Supermicro X11SSH-LN4F, Xeon E3-1425 v5, 16Gb

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @Sekrit:

        Could you create a GUI option for this very annoying problem for Safari users?

        It's already in the beta of the next release… stay tuned!

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • S
          Sekrit
          last edited by

          After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

          pfSense 2.3.3-p1 (PFblockerNG, Snort, Squid).  VMware on Supermicro X11SSH-LN4F, Xeon E3-1425 v5, 16Gb

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            @Sekrit:

            After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

            If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default… The next release should have this fix built-in...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • SLIMaxPowerS
              SLIMaxPower
              last edited by

              I followed this guide and dropbox is refused to connect.

              DNSBL

              May 28 14:34:43 Unknown Unknown   www.google-analytics.com 
                Not available for HTTPS alerts

              May 28 14:19:03 Unknown Unknown   www.dropbox.com 
                Not available for HTTPS alerts

              both show the domains are in the whitelist.

              If and Source and Unknown and list shows no match.

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                Can you post a screenshot of the Whitelist and the Alerts Tab showing these blocked domains.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • SLIMaxPowerS
                  SLIMaxPower
                  last edited by

                  Currently the domains are whitelisted in the custom domain whitelist. Is this correct or should they go in the TLD whitelist

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @SLIMaxPower:

                    Currently the domains are whitelisted in the custom domain whitelist. Is this correct or should they go in the TLD whitelist

                    The Custom Domain Whitelist is used to "whitelist" domains…

                    The TLD Whitelist is only used in combination with TLD Blacklist… An example of that would be where you want to block all "ru" domains with TLD Blacklist, but you want to allow certain ru domains to get thru.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • G
                      GoldServe
                      last edited by

                      What is the option to not serve up a https image to avoid certificate errors in 2.1.1_8?

                      1 Reply Last reply Reply Quote 0
                      • M
                        Matze_
                        last edited by

                        [ DNSBL FAIL ] [ Skipping : SuspiciousDomains ]

                        What feed URL are you using? There are three options available:

                        https://isc.sans.edu/feeds/suspiciousdomains_High.txt
                        https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
                        https://isc.sans.edu/feeds/suspiciousdomains_Low.txt

                        Otherwise check that you didn't copy/paste the new patched line incorrectly…

                        1 Reply Last reply Reply Quote 0
                        • S
                          Sekrit
                          last edited by

                          @BBcan177:

                          @Sekrit:

                          After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

                          If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default… The next release should have this fix built-in...

                          BBcan,
                          Just installed the next release and certificate error has returned.  :(

                          pfSense 2.3.3-p1 (PFblockerNG, Snort, Squid).  VMware on Supermicro X11SSH-LN4F, Xeon E3-1425 v5, 16Gb

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            @Sekrit:

                            @BBcan177:

                            @Sekrit:

                            After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

                            If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default… The next release should have this fix built-in...

                            BBcan,
                            Just installed the next release and certificate error has returned.  :(

                            Sorry to get your hopes up… but the last release was just a small patch...  Not quite finished with it yet...

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • K
                              kjstech
                              last edited by

                              The firewall rule worked!  I changed my DNSBL SSL port to 8082 though since I have a Unifi controller running on my pfsense box on 8443.

                              1 Reply Last reply Reply Quote 0
                              • K
                                kvic
                                last edited by

                                @BBcan177:

                                Thanks for the links… It's not something that I would want for the package... MITM anything is bad in my books :)
                                I am working on improving this issue… So stay tuned...

                                You can decide what to include in your package. But pixelserv-tls is not MITM blah.

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kvic
                                  last edited by

                                  @motific:

                                  Creating custom certs for domains you don't own is a MITM method.

                                  Not that it would work for google.com as they use HSTS preloading and public-key pinning.  Browser makers bake information about the certificate chain for some sites into the package/installation.  The browser knows about the certs it should be expecting for those sites before a request is even made and will warn the user if the certificate has been tampered with.

                                  First time I hear such a definition of MITM. Maybe you have a point. Perhaps blocking ad by poisoning DNS record shall be in this category too.

                                  Your understanding of HSTS and what's built in chrome/firefox doesn't seem right to me.

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    Velcro
                                    last edited by

                                    Just my 2 cents not sure of implications but since upgrading to IOS 11.0.3(including the 3 IOS updates in the last 2-3 weeks), I used to get a pop-up's on my iPhone safari…now I get a "safari cannot open...could not establish a secure connection...".

                                    In firefox on Linux I got redirected to a certificate error...went thru and made an exception...now I get the 1x1 pixel page.

                                    I'll take a cert error or 1x1 pixel page...just no spying!!!

                                    I love you BBCAN!

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      NasKar
                                      last edited by

                                      I've tried
                                      Action: Reject
                                      Interface: LAN
                                      Address Family: IPV4
                                      Protocol: TCP
                                      Source: any
                                      Destination: Single host or alias 127.0.0.1 or 10.10.10.1
                                      Destination port range: custom 8443 (in both custom fields)

                                      DNSBL configuration
                                      DNSBL Virtual IP 127.0.0.1 or 10.10.10.1

                                      It does prevent the certificate errors but doesn't block the ads on the yahoo.com home page on ipad or macbook pro

                                      If I edit the code in the on line 3636 in /usr/local/pkg/pfblockerng/pfblockerng.inc to

                                        $domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";
                                      
                                      

                                      No certificate error but doesn't block the ads on yahoo.com home page on ipad or mackbook pro
                                      I did reload the DNSBL.
                                      My version of pfBlockerNG is 2.1.2

                                      Not sure what I'm doing incorrectly.

                                      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                      2 CPUs: 1 package(s) x 2 core(s)
                                      AES-NI CPU Crypto: No
                                      2 Gigs Ram
                                      SSD with ver 2.4.0
                                      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        repomanz
                                        last edited by

                                        Hi folks - I was wondering if others that have upgraded to pfsense 2.4.1 are having the certificate errors again?  Previously in 2.3.4 the solution described above was working fine with the lan rule blocking any traffic to the dnsbl vip.  Post upgrade to 2.4.1 I'm getting certificate errors again from my AV solution.  This began happening immediately after upgrade of pfsense to 2.4.1.

                                        Anyone else having this trouble?

                                        1 Reply Last reply Reply Quote 0
                                        • G
                                          gp-se
                                          last edited by

                                          @repomanz:

                                          Hi folks - I was wondering if others that have upgraded to pfsense 2.4.1 are having the certificate errors again?  Previously in 2.3.4 the solution described above was working fine with the lan rule blocking any traffic to the dnsbl vip.  Post upgrade to 2.4.1 I'm getting certificate errors again from my AV solution.  This began happening immediately after upgrade of pfsense to 2.4.1.

                                          Anyone else having this trouble?

                                          I'm on 2.4.1 with the latest PFBlocker installed, I haven't gotten the certificate errors at all. When I was on 2.3.4 I had to edit the file or I would get certificate errors.

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            repomanz
                                            last edited by

                                            Can you share your dnsbl configuration and any lan / float rules you may have on this?  I'm hoping it's some minor configuration change i need to make instead of a full re-install.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.