Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable IDN Blocking

    Scheduled Pinned Locked Moved pfBlockerNG
    17 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmds @RonpfS
      last edited by

      @ronpfs

      HSTS disabled, IDN Blocking disabled
      HSTS disabled, IDN Blocking enabled
      HSTS enabled, IDN Blocking disabled
      HSTS enabled, IDN Blocking enabled

      Force Update, Force Reload All, Force Cron...

      and also clean pfblockerng install with default settings and Python mode enabled

      all the same thing...

      RonpfSR 1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS @dmds
        last edited by RonpfS

        @dmds HSTS is just to see if changes are saved and processed by an Update.

        Maybe it's time to post pfblockerng.log. It's in the log that you see if you settings are used to build the db.

        D 1 Reply Last reply Reply Quote 0
        • D
          dmds @RonpfS
          last edited by

          @ronpfs
          ok
          clean install with enabled Python mode
          I made several requests to xn--80adxhks.xn--p1ai

          pfblockerng.zip
          dnsbl.zip

          RonpfSR 3 Replies Last reply Reply Quote 0
          • RonpfSR
            RonpfS @dmds
            last edited by RonpfS

            This post is deleted!
            1 Reply Last reply Reply Quote 1
            • RonpfSR
              RonpfS @dmds
              last edited by RonpfS

              @dmds
              So after taking my time, I can confirm that Block IDN settings are saved and applied after a Force Update. However the IP is blocked by a Firewall Rules Top Spammer.

              212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4

              You can track the change in the files after a Force Update :
              /cf/conf/config.xml : <pfb_idn></pfb_idn>
              /var/unbound/pfb_unbound.ini : python_idn = off

              Also don't rely on Chrome to see if the domain is redirected to the VIP, Chrome acts funny and brings back the pfBlockerNG DNSBL block page. Use the DNS Resolver tab.

              Well it's really weird. Now it's blocked again.
              In DNS Lookup tab beware that DNS Resolver tab returns 212.11.152.122 XN--80ADXHKS.XN--P1AI but return VIP with xn--80adxhks.xn--p1ai. FireFox convert both to non caps.

              D 1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS @dmds
                last edited by RonpfS

                @dmds

                [2.4.5-RELEASE][2020-12-23 3:01:52][admin@]/root: nslookup xn--80adxhks.xn--p1ai
                ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer:               127.0.0.1
                Address:        127.0.0.1#53
                
                Name:   xn--80adxhks.xn--p1ai
                Address: 10.10.10.1
                ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
                
                [2.4.5-RELEASE][2020-12-23 3:02:56][admin@]/root: nslookup XN--80ADXHKS.XN--P1AI
                ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer:               127.0.0.1
                Address:        127.0.0.1#53
                
                Non-authoritative answer:
                Name:   xn--80adxhks.xn--p1ai
                Address: 212.11.152.117
                Name:   xn--80adxhks.xn--p1ai
                Address: 212.11.152.122
                ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
                
                
                1 Reply Last reply Reply Quote 0
                • D
                  dmds @RonpfS
                  last edited by dmds

                  @ronpfs said in Disable IDN Blocking:

                  ...However the IP is blocked by a Firewall Rules Top Spammer.

                  212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4

                  I don't have this rule enabled

                  I disabled all groups and left only one with a single address google.com

                  223396bd-1c10-4697-b701-03e2fc635e63-изображение.png

                  any IDN is blocked...

                  57ed1f69-71eb-4bc5-a72e-1fb36cf5215f-изображение.png

                  1 Reply Last reply Reply Quote 0
                  • D
                    dmds
                    last edited by

                    and blocked google.com gives another output
                    f52ab8c7-f3b5-49b0-a81a-25ec02940ce9-изображение.png

                    BBcan177B 1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator @dmds
                      last edited by BBcan177

                      @dmds
                      Thanks for reporting, will get this fixed in the next version.

                      For now, you can edit this file:
                      /var/unbound/pfb_unbound.py

                      And change Line #1007

                      Ref:
                      https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/var/unbound/pfb_unbound.py#L1007

                      From:

                      if not isFound and pfb['python_idn'] and q_name.startswith('xn--') or '.xn--' in q_name:
                      

                      To:

                      if not isFound and pfb['python_idn'] and (q_name.startswith('xn--') or '.xn--' in q_name):
                      

                      It was missing brackets "( .. )" around the last condition

                      Follow that with a restart of Unbound.

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      D 1 Reply Last reply Reply Quote 3
                      • D
                        dmds @BBcan177
                        last edited by

                        @bbcan177
                        Thanks! Everything is working.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.