Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL Groups not filtering

    Scheduled Pinned Locked Moved
    pfBlockerNG
    2
    2
    370
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rgelfand
      last edited by

      I have setup easylist dnsbl as follows dbfa7192-a68d-4f04-81a3-f01a43d78c88-image.png

      nslookup vungle.com resolves to 10.10.10.1. This should cause a block page to appear. However, it does bring up the page.

      My topology is wan ---- cable router ---- netgate 1100 ---- lan

      Only netgate 1100 can do wan dns lookup and dns lookups from lan to wan are blocked.

      Would anyone have a suggestion how to troubleshoot this. Any help is appreciated.

      Thanks in advance.

      Roman

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @rgelfand
        last edited by

        @rgelfand said in DNSBL Groups not filtering:

        nslookup vungle.com resolves to 10.10.10.1.

        So, you're fine ;)

        As you already know, "10.10.10.1" is what can be considered as a virtual IP(RFC1918) hosted on pfSense.
        You can see it using http (not https) access :

        06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

        A https access will produce a browser depended error message.

        759306e9-fba1-4533-b78d-9ec5fe0f058c-image.png

        To understand the 'none' issue, you have to know what https or TLS actually means, and how browsers these days related handle failures.

        Short example :

        You blacklist (DNSBL) twitter.
        For reasons you totally already understand, twister can only be accessed using https, not http.
        Open a browser, type www.twitter.com and you see .... a failure and certianly not the first image I showed above.
        You were not - and your browser focs you to - visit twitter using http.
        It was https.

        And now the good one : you can't "break" https. No one can.
        So, yes, your browser, upon an initial DNS request, receives 10.10.10.1, the browser connects on that IP, using port 443.
        First of all, the browser asked for certificate info.
        In this certificate, it has to find that states it's "*.twitter.com". Thats what https (TLS) is all about.

        Now, I ask you, does your pfBlockerNG-devel has the certicate that says it's ".twitter.com" ? ;) (Can you have it ??)
        Rephrase that.
        Are you "        .twitter.com". ?
        No.

        The browser hangs up right away. And this means that all blocked DNSBL will not show you the nice image (see above) but a browser that complains, saying that there are protocol errors.
        It will only work for plain old "http" accesses and redirects. And these do not exist any more.
        Because, again, if you want to visit https://yourbank.tld you can not get redirected to https://thefakebankurl.tld

        Now you understand why I use :

        ed983b2c-99e8-4c6a-86ff-927144fb2655-image.png

        I'm not redirecting to the "10.10.10.1" nice page - but answer a "0.0.0.0" which will make the browser show a message that the requested site "has no DNS" (or some DNS issue) which is actually true.

        The most simple answer : Just forget about :

        06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • First post
          Last post