DNSBL modify default bloked webpage
-
@bbcan177 said in DNSBL modify default bloked webpage:
To fix that Cert error for HTTPS sites, create a new DNSBL Group and add the domains that are causing issue to the customlist at the bottom of the page. Then disable logging and set the Order to "Primary" which will cause this Group to load first.
Follow that with a Force Reload DNSBL... That will null block those domains to 0.0.0.0 and avoid the cert errors.The thing is that basically you will need to add all https sites in there (well, almost) as most of them are using HSTS for that matter nowadays. (facebook, google and almost all majors)
No mentioning logging, alerts, etc...
That's actually the exact reason, why i'm trying to get away from this bulky and messy squid+samba+squidguard construction. But here with lighthttpd you're using static private cert which is not trusted by local cert authorities. Why can't you consider to issue at least trusted with local CA cert? I'd imagine that'll help with majority if issues.... Also i've heard rumors from of this forum, that if we will be using the squid's way with auto generating valid subCA certs for users from local CA it "would be both complicated and slow." But squid had been working with that for years, I haven't noticed any issues with it's performance... (yes there is caching also, but still)
Could you please comment? (I'm on latest dev 2.2.5_17 now) -
@bbcan177 said in DNSBL modify default bloked webpage:
To fix that Cert error for HTTPS sites, create a new DNSBL Group and add the domains that are causing issue to the customlist at the bottom of the page. Then disable logging and set the Order to "Primary" which will cause this Group to load first.
Could you please list the exact steps for this suggestion? I'm not sure what you mean by DNSBL "Group" and don't see that term anywhere under Firewall -> pfblockerNG or anywhere else.
Also, I'm seeing in other threads that this was incorporated already into pfblockerNG... If so, where is that option, because I'm definitely seeing these HTTPS certificate errors. (I'd much prefer that you allow pfblockerNG to use a certificate I provide, presumbaly using pfSense's certificate manager, so that I can pre-install the signing CA in my clients. I don't want to give up the blocked web page that's delivered -- I'm on MacOS, where Safari will let me work around the issue by installing the HTTPS server certificate in my Keychaain, but Chrome and Firefox still won't work with that for HSTS sites (like googleadservices.com)).
pfSense 2.4.4-RELEASE-p2 / pfBlockerNG-devel 2.2.5_21
-
This is where you create a new "DNSBL Group" (I am renaming DNSBL Feed -> DNSBL Group in the next release):
Click on the DNSBL Tab
Click "DNSBL Feeds"
Click "Add"Set the Name and Header field
Set the Action to Unbound
Set the Logging to Disabled
Set Group Order to Primary
Add the domains that are causing those Cert issues, to the bottom Custom List.Save, "Force Reload - DNSBL"
-
@bbcan177 Thanks for that.
What effect is the "null block" supposed to have? When I access a problem site -- I still see a certificate warning. DNS lookups in the domain in question still return 10.10.10.1 rather than 0.0.0.0. (Update: the problem is that I needed to put in a full hostname, e.g., www.googleadservices.com, rather than just the domain name as it asked for, e.g., googleadservices.com.)
Any plans to have DNSBL use a server certificate from the pfSense's certificate manager so that this workaround is unnecessary? Adding an exception like this for very problematic domain is not tractable (or desirable, since as you've pointed it out it defeats logging and tracking for such ads).
-
Hello there security folks,
Same problem here with a brand new install on my test lab:
PfBlocker 2.1.4_16
PfSense 2.4.4_2DNSBL works and turns ads into 1.1 pixel but I cannot display the "blocked page warning" when the root domain is blocked.
For example : darkpage.win is on one of my DNSBL lists. I confirm it's darkpage.win and not something.darkpage.win.
When I browse this address, all I get is a 1.1 pixel, not the "blocked page warning" I should get.Below is my nslooup result for that page :
nslooup darkpage.win
Server : 192.168.1.252
Address : 192.168.1.252#53Name : darkpage.win
Address : 10.10.10.1Did someone find a solution ?
Thanks a lot -
@davidm40 said in DNSBL modify default bloked webpage:
PfBlocker 2.1.4_16
You will need to upgrade to pfBlockerNG-devel which has the blocked web page functionality.
-
Oh, I see.
Thanks for the quick reply @BBcan177
Glad I didn't start getting my hands dirty too early. -
-
@concord @BBcan177 I modified
/usr/local/pkg/pfblockerng/pfblockerng.incby replacing line1087likes this:'target' => "{$pfb['dnsbl_vip']}",Now the NAT rules always have vip as target ip and issue is solved.
However, I think
127.0.0.1should work. May be issue is with latest release of pfSense itself? -
I followed these instructions to block roblox for the kids. The result is that I get an error in the browser that the site cannot be reached but I do not see a block message. Is that the expected behavior?
-
Thanks, but I would rather go back to the old way with the (GIF Image, 1 × 1 pixels). Could i just upload that gif image to the /usr/local/www/pfblockerng/www/ folder and delete the default html files in there? Or do I need to do something else?
-
@ryanca said in DNSBL modify default bloked webpage:
Thanks, but I would rather go back to the old way with the (GIF Image, 1 × 1 pixels). Could i just upload that gif image to the /usr/local/www/pfblockerng/www/ folder and delete the default html files in there? Or do I need to do something else?
Copy the default page and create a new one with your modifications. Then select the new page in the DNSBL Tab.
