blocked domain not by pfblocker

scorpoin

Greetings,

My clients keep complaining me about one web site which use to work fine but suddenly it slow down. After investigate I found that it is blocked by pfblocker-ng when I ping that cdn domain name it return me the virtual ip of pfblocker. But when I go to report and filter then search for that cdn domain I could not find any log for that domain :/ .

cdn.appdynamics.com

Any idea where else to look for this block. I also test the website with pfblocker bypass ip thats work fine.

Regards

DaddyGo

@scorpoin said in blocked domain not by pfblocker:

Any idea where else to look for this block.

Hi,

for me, this feed blocks (Adaway):

put it on a whitelist,.....- if you want, but not in vain it is blocked I think

+++edit:

scorpoin

Thanks for your prompt response , I've added it into white list and issue is resolved . But strange thing was I was unable to find it in logs :/ .

DaddyGo

@scorpoin said in blocked domain not by pfblocker:

But strange thing was I was unable to find it in logs :/ .

Follow these steps as well:

• delete log files from, - /var/log/pfblockerng/*
• clear the dashboard counters with the trash icon

and "reload / all

Gertjan

@scorpoin said in blocked domain not by pfblocker:

I've added it into white list

....and you edited the title

DaddyGo

@gertjan said in blocked domain not by pfblocker:

edited the title

yes, this is worth doing

scorpoin

@gertjan Now again same block issuewith

seal.verisign.com

and I've check in report then filter no use could not find it . I've checked all log files in /var/log/pfblocker/ as well , I could not find it there. Why this strange behavior am I missing some thing. Or it is kind of a bug or something.

Regards

Gertjan

@scorpoin said in blocked domain not by pfblocker:

Or it is kind of a bug or something.

Why wondering ?

All you need is a keyboard and type on your PC :

C:\Users\Gauche>nslookup seal.verisign.com
Serveur :   pfsense.brit-hotel-fumel.net
Address:  2001:470:1f13:5c0:2::1

Réponse ne faisant pas autorité :
Nom :    e19.e2.akamaiedge.net
Address:  96.7.226.30
Aliases:  seal.verisign.com
          seal.verisign.com.edgekey.net

About pfBlockerNg : the "program" ; when you install it, it does nothing at all.
It actually starts when the admin start filling it up. The main question is : with what - what's in these list ??
If pfBlockerNG was blocking, you would see this :

C:\Users\Gauche>nslookup seal.verisign.com
Serveur :   pfsense.brit-hotel-fumel.net
Address:  2001:470:1f13:5c0:2::1

Nom :    seal.verisign.com
Address:  10.10.10.1

Note : that is, if 10.10.10.1 is the default pfBlockerNG web server and you kept related settings to default.

@scorpoin said in blocked domain not by pfblocker:

I've checked all log files in /var/log/pfblocker/ as well , I could not find it there

Look again : Firewall > pfBlockerNG > Log Browser and look at the dns_reply.log :

Btw : I'm using the newer Python mode - not the older Unbound mode.
This is checked :

And one sure thing : I'm using the resolver with (close to) default settings.

You are using pfBlockerNG-devel 3.0.0_8, right ?

scorpoin

@gertjan said in blocked domain not by pfblocker:

@scorpoin said in blocked domain not by pfblocker:

Or it is kind of a bug or something.

Why wondering ?

All you need is a keyboard and type on your PC :

C:\Users\Gauche>nslookup seal.verisign.com
Serveur :   pfsense.brit-hotel-fumel.net
Address:  2001:470:1f13:5c0:2::1

Réponse ne faisant pas autorité :
Nom :    e19.e2.akamaiedge.net
Address:  96.7.226.30
Aliases:  seal.verisign.com
          seal.verisign.com.edgekey.net

About pfBlockerNg : the "program" ; when you install it, it does nothing at all.
It actually starts when the admin start filling it up. The main question is : with what - what's in these list ??
If pfBlockerNG was blocking, you would see this :

C:\Users\Gauche>nslookup seal.verisign.com
Serveur :   pfsense.brit-hotel-fumel.net
Address:  2001:470:1f13:5c0:2::1

Nom :    seal.verisign.com
Address:  10.10.10.1

Note : that is, if 10.10.10.1 is the default pfBlockerNG web server and you kept related settings to default.

@scorpoin said in blocked domain not by pfblocker:

I've checked all log files in /var/log/pfblocker/ as well , I could not find it there

Look again : Firewall > pfBlockerNG > Log Browser and look at the dns_reply.log :

Btw : I'm using the newer Python mode - not the older Unbound mode.
This is checked :

And one sure thing : I'm using the resolver with (close to) default settings.

You are using pfBlockerNG-devel 3.0.0_8, right ?

Yes you are right. is there any problem with that version?. I've added that URL into whitelist now waiting for an other surprise :D.

Regards

Gertjan

@scorpoin said in blocked domain not by pfblocker:

I've added that URL into whitelist

Or remove the feed that blocks a domain name like "verisign.com", as we would all agree that blocking Verisign would be plain stupid. Consider this feed as hacked.

Btw : IP's like 8.8.8.8 were recently seen on some IP lists. Although I can somewhat understand that one, you can image that that really hurts all those 'ignorants' that use 8.8.8.8 for dpinger Monitoring IP which is of course a big "don't do that". Now they know why.

scorpoin

@gertjan I agreed but issue is I was unable to find that in any list of feed thats strange , even I looked up logs files of pfblocker

fgrep "verisign" /var/log/pfblocker -R

nothing found so far

jdeloach

This post is deleted!

Gertjan

Hmmmmmm

[2.4.5-RELEASE][root@pfsense.brit-hotel-fumel.net]/root: grep "verisign" /var/db/pfblockerng/dnsbl/*.txt /var/db/pfblockerng/dnsblorig/*.orig /var/unbound/pfb_dnsbl.conf /usr/local/pkg/pfblockerng/dnsbl_tld
/var/db/pfblockerng/dnsblorig/MVPS.orig:0.0.0.0 verisignwildcard.112.2o7.net #[sitefinder.verisign.com]
/var/db/pfblockerng/dnsblorig/OISD.orig:0.0.0.0 oracleverisign.com
/var/db/pfblockerng/dnsblorig/OISD.orig:0.0.0.0 verisign.bfast.com
/var/db/pfblockerng/dnsblorig/OISD.orig:0.0.0.0 verisign.tt.omtrdc.net
/var/db/pfblockerng/dnsblorig/OISD.orig:0.0.0.0 verisignwildcard.112.2o7.net
/var/db/pfblockerng/dnsblorig/OISD.orig:0.0.0.0 www.oracleverisign.com
/var/db/pfblockerng/dnsblorig/SWC.orig:#127.0.0.1 sitefinder.verisign.com       # Verisign has joined the game
/var/db/pfblockerng/dnsblorig/SWC.orig:#127.0.0.1 sitefinder-idn.verisign.com   # of trying to hijack mistyped
/var/db/pfblockerng/dnsblorig/SWC.orig:127.0.0.1 verisignwildcard.112.2o7.net
/var/db/pfblockerng/dnsblorig/oisd_nl.orig:verisign.bfast.com
/var/db/pfblockerng/dnsblorig/oisd_nl.orig:verisign.tt.omtrdc.net
/var/db/pfblockerng/dnsblorig/oisd_nl.orig:verisignwildcard.112.2o7.net

scorpoin

This post is deleted!

scorpoin

This post is deleted!

scorpoin

@gertjan well strange after moving to latested 3.0.0.8 pfblockerng-devel . Things have chagned .

nslookup facebook.com
Server:  pfSense.local.landomain
Address:  172.16.159.254

Name:    facebook.com
Addresses:  ::10.10.10.1
          10.10.10.1

When accessing it via brower Im able to broser facebook , youtube etc. which have been blocked in older version :/ . Do I need any extra cnfig to make it work. I'm using unresolver as DNS should I disable it?

Stopping Unbound Resolver..............................
Additional mounts (DNSBL python):
  No changes required.
Starting Unbound Resolver.
DNSBL enabled FAIL  *** Fix error(s) and a Force Reload required! ***


====================

[1610791470] unbound[39902:0] error: bind: address already in use
[1610791470] unbound[39902:0] fatal error: could not open ports

Now revert back the setting to unbound from python.
Regards