Disable IDN Blocking
-
can't turn off IDN blocking.
option is unchecked.
-
@dmds
Which version are you using? That is an old block page?
Update to the latest v3.0.0_7 and see how that goes. -
@bbcan177
I tried 3.0.0_3 - 3.0.0_7 -
if i disable all DNSBL groups in the settings, then IDNs are not blocked.
if i enable at least one group even with one address (not IDN), then all IDNs are blockedand the problem is with python mode only
-
@dmds
Try F5, or CTRL-F5 to refresh the tab.Try with another browser.
Save DNSBL Settings, then change another setting like HSTS mode, Save DNSBL Settings, put back HSTS, Save DNSBL Settings, Force Update, Force Reload All.
Do you see any changes in the IDN Blocking setting during those manipulations ?
-
@ronpfs
i tried many browsers and workstaions.
"ipconfig /flushdns" doesn't help
other pfsense instance have the same problemfor example IDN - xn--80adxhks.xn--p1ai
it resolves to the address 172.16.172.15linux
pfsense
-
@dmds F5, or CTRL-F5 to refresh the pfBlockerNG / DNSBL tab.
Once you tested changing HSTS settings, can you change IDN Blocking, Save DNSBL setting, Force Update, Force Reload All, invert IDN Blocking , Save, Force Update , Force Reload All.
The problem is in pfblockerNG, so work on pfBlockerNG DNSBL config , inspect the log, etc.
-
HSTS disabled, IDN Blocking disabled
HSTS disabled, IDN Blocking enabled
HSTS enabled, IDN Blocking disabled
HSTS enabled, IDN Blocking enabledForce Update, Force Reload All, Force Cron...
and also clean pfblockerng install with default settings and Python mode enabled
all the same thing...
-
@dmds HSTS is just to see if changes are saved and processed by an Update.
Maybe it's time to post pfblockerng.log. It's in the log that you see if you settings are used to build the db.
-
@ronpfs
ok
clean install with enabled Python mode
I made several requests to xn--80adxhks.xn--p1ai -
This post is deleted! -
@dmds
So after taking my time, I can confirm that Block IDN settings are saved and applied after a Force Update. However the IP is blocked by a Firewall Rules Top Spammer.212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4
You can track the change in the files after a Force Update :
/cf/conf/config.xml : <pfb_idn></pfb_idn>
/var/unbound/pfb_unbound.ini : python_idn = offAlso don't rely on Chrome to see if the domain is redirected to the VIP, Chrome acts funny and brings back the pfBlockerNG DNSBL block page. Use the DNS Resolver tab.
Well it's really weird. Now it's blocked again.
In DNS Lookup tab beware that DNS Resolver tab returns 212.11.152.122 XN--80ADXHKS.XN--P1AI but return VIP with xn--80adxhks.xn--p1ai. FireFox convert both to non caps. -
[2.4.5-RELEASE][2020-12-23 3:01:52][admin@]/root: nslookup xn--80adxhks.xn--p1ai ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer: 127.0.0.1 Address: 127.0.0.1#53 Name: xn--80adxhks.xn--p1ai Address: 10.10.10.1 ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL [2.4.5-RELEASE][2020-12-23 3:02:56][admin@]/root: nslookup XN--80ADXHKS.XN--P1AI ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: xn--80adxhks.xn--p1ai Address: 212.11.152.117 Name: xn--80adxhks.xn--p1ai Address: 212.11.152.122 ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
-
@ronpfs said in Disable IDN Blocking:
...However the IP is blocked by a Firewall Rules Top Spammer.
212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4
I don't have this rule enabled
I disabled all groups and left only one with a single address google.com
any IDN is blocked...
-
and blocked google.com gives another output
-
@dmds
Thanks for reporting, will get this fixed in the next version.For now, you can edit this file:
/var/unbound/pfb_unbound.pyAnd change Line #1007
Ref:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/var/unbound/pfb_unbound.py#L1007From:
if not isFound and pfb['python_idn'] and q_name.startswith('xn--') or '.xn--' in q_name:
To:
if not isFound and pfb['python_idn'] and (q_name.startswith('xn--') or '.xn--' in q_name):
It was missing brackets "( .. )" around the last condition
Follow that with a restart of Unbound.
-
@bbcan177
Thanks! Everything is working.