DNSBL modify default bloked webpage

bldnightowl

@bbcan177 said in DNSBL modify default bloked webpage:

To fix that Cert error for HTTPS sites, create a new DNSBL Group and add the domains that are causing issue to the customlist at the bottom of the page. Then disable logging and set the Order to "Primary" which will cause this Group to load first.

Could you please list the exact steps for this suggestion? I'm not sure what you mean by DNSBL "Group" and don't see that term anywhere under Firewall -> pfblockerNG or anywhere else.

Also, I'm seeing in other threads that this was incorporated already into pfblockerNG... If so, where is that option, because I'm definitely seeing these HTTPS certificate errors. (I'd much prefer that you allow pfblockerNG to use a certificate I provide, presumbaly using pfSense's certificate manager, so that I can pre-install the signing CA in my clients. I don't want to give up the blocked web page that's delivered -- I'm on MacOS, where Safari will let me work around the issue by installing the HTTPS server certificate in my Keychaain, but Chrome and Firefox still won't work with that for HSTS sites (like googleadservices.com)).

pfSense 2.4.4-RELEASE-p2 / pfBlockerNG-devel 2.2.5_21

BBcan177

@bldnightowl

This is where you create a new "DNSBL Group" (I am renaming DNSBL Feed -> DNSBL Group in the next release):
Click on the DNSBL Tab
Click "DNSBL Feeds"
Click "Add"

Set the Name and Header field
Set the Action to Unbound
Set the Logging to Disabled
Set Group Order to Primary
Add the domains that are causing those Cert issues, to the bottom Custom List.

Save, "Force Reload - DNSBL"

bldnightowl

@bbcan177 Thanks for that.

What effect is the "null block" supposed to have? When I access a problem site -- I still see a certificate warning. DNS lookups in the domain in question still return 10.10.10.1 rather than 0.0.0.0. (Update: the problem is that I needed to put in a full hostname, e.g., www.googleadservices.com, rather than just the domain name as it asked for, e.g., googleadservices.com.)

Any plans to have DNSBL use a server certificate from the pfSense's certificate manager so that this workaround is unnecessary? Adding an exception like this for very problematic domain is not tractable (or desirable, since as you've pointed it out it defeats logging and tracking for such ads).

davidm40

Hello there security folks,
Same problem here with a brand new install on my test lab:
PfBlocker 2.1.4_16
PfSense 2.4.4_2

DNSBL works and turns ads into 1.1 pixel but I cannot display the "blocked page warning" when the root domain is blocked.
For example : darkpage.win is on one of my DNSBL lists. I confirm it's darkpage.win and not something.darkpage.win.
When I browse this address, all I get is a 1.1 pixel, not the "blocked page warning" I should get.

Below is my nslooup result for that page :
nslooup darkpage.win
Server : 192.168.1.252
Address : 192.168.1.252#53

Name : darkpage.win
Address : 10.10.10.1

Did someone find a solution ?
Thanks a lot

BBcan177

@davidm40 said in DNSBL modify default bloked webpage:

PfBlocker 2.1.4_16

You will need to upgrade to pfBlockerNG-devel which has the blocked web page functionality.

davidm40

Oh, I see.
Thanks for the quick reply @BBcan177
Glad I didn't start getting my hands dirty too early.

amitg0123

@concord @BBcan177 I am having exactly same issue. If I change "Redirect target IP" to "10.10.10.1" instead of "127.0.0.1" for the generated NAT rules, it works fine.

I think the issue is port forwarding to "127.0.0.1" is not working with latest pfSense release.

amitg0123

@concord @BBcan177 I modified /usr/local/pkg/pfblockerng/pfblockerng.inc by replacing line 1087 likes this:

'target'                => "{$pfb['dnsbl_vip']}",

Now the NAT rules always have vip as target ip and issue is solved.

However, I think 127.0.0.1 should work. May be issue is with latest release of pfSense itself?

Argion

@BBcan177

I followed these instructions to block roblox for the kids. The result is that I get an error in the browser that the site cannot be reached but I do not see a block message. Is that the expected behavior?

ryanca

Thanks, but I would rather go back to the old way with the (GIF Image, 1 × 1 pixels). Could i just upload that gif image to the /usr/local/www/pfblockerng/www/ folder and delete the default html files in there? Or do I need to do something else?

BBcan177

@ryanca said in DNSBL modify default bloked webpage:

Thanks, but I would rather go back to the old way with the (GIF Image, 1 × 1 pixels). Could i just upload that gif image to the /usr/local/www/pfblockerng/www/ folder and delete the default html files in there? Or do I need to do something else?

Copy the default page and create a new one with your modifications. Then select the new page in the DNSBL Tab.