Pfblocker (DNSBL) and android amazon app (android web viewer) issue "SOLVED"

scorpious · Dec 6, 2016, 6:35 PM

Hi all,

I seem to have a issue loading amazon via the android app. the app loads up, but does not display content, it briefly displays the amazon content, but then loads up with an update android system webview error.

I have tried to uninstall the webview and reinstall it. still doesn't work. Amazon app works fine on LTE/other wifi networks.

pfsense is strictly Ethernet, the LAN is connected via a access point.

I do not have issues running amazon app running via kindle or windows 10, its only on android.

I have pfblocker and snort running.

From what I have gathered is, the DNSBL when enabled prevents the android web viewer to display content, when I disable DNSBL it works. is there some kind of a whitelist or parameter that needs to be entered to get this working?
DNSl BL has the usual easylist applied and Alexa whitelist with IP firewall setting denied to both.

any suggestions on how to setup pfsense to get amazon working again?

thanks

ashish

f34rinc · Dec 6, 2016, 6:56 PM

What does the alerts tab for pfBlockerNG show? Scroll down to the bottom and DNSBL alerts will be visible, click the + sign next to a blocked item to add it to the whitelist.

scorpious · Dec 6, 2016, 7:39 PM

I found the following info for the Alert, and added the info to white list. Ran Update/Cron/Reload.

I still have the issue.

![Firewall_ pfBlockerNG_ Alerts.jpg](/public/imported_attachments/1/Firewall_ pfBlockerNG_ Alerts.jpg)
![Firewall_ pfBlockerNG_ Alerts.jpg_thumb](/public/imported_attachments/1/Firewall_ pfBlockerNG_ Alerts.jpg_thumb)
![Firewall_ pfBlockerNG_ DNSBL.jpg](/public/imported_attachments/1/Firewall_ pfBlockerNG_ DNSBL.jpg)
![Firewall_ pfBlockerNG_ DNSBL.jpg_thumb](/public/imported_attachments/1/Firewall_ pfBlockerNG_ DNSBL.jpg_thumb)

doktornotor · Dec 6, 2016, 7:57 PM

Post the output of


grep amazon /var/unbound/pfb_dnsbl.conf

scorpious · Dec 6, 2016, 8:22 PM

local-data: "amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "amazon-cornerstone.com 60 IN A 10.10.10.1"
local-data: "amazonily.com 60 IN A 10.10.10.1"
local-data: "assoc-amazon.ca 60 IN A 10.10.10.1"
local-data: "assoc-amazon.co.uk 60 IN A 10.10.10.1"
local-data: "assoc-amazon.com 60 IN A 10.10.10.1"
local-data: "assoc-amazon.de 60 IN A 10.10.10.1"
local-data: "assoc-amazon.es 60 IN A 10.10.10.1"
local-data: "assoc-amazon.fr 60 IN A 10.10.10.1"
local-data: "assoc-amazon.it 60 IN A 10.10.10.1"
local-data: "aan.amazon.com 60 IN A 10.10.10.1"
local-data: "aax-eu.amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "aax-us-east.amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "aax-us-pdx.amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "adagiobanner.s3.amazonaws.com 60 IN A 10.10.10.1"
local-data: "dra.amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "fls-na.amazon.com 60 IN A 10.10.10.1"
local-data: "ir-na.amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "mobileanalytics.us-east-1.amazonaws.com 60 IN A 10.10.10.1"
local-data: "mobileanalytics.us-east-2.amazonaws.com 60 IN A 10.10.10.1"
local-data: "mobileanalytics.us-west-1.amazonaws.com 60 IN A 10.10.10.1"
local-data: "mobileanalytics.us-west-2.amazonaws.com 60 IN A 10.10.10.1"
local-data: "rcm-images.amazon.com 60 IN A 10.10.10.1"
local-data: "rcm-it.amazon.it 60 IN A 10.10.10.1"
local-data: "sdogiu.bestamazontips.com 60 IN A 10.10.10.1"
local-data: "uedata.amazon.com 60 IN A 10.10.10.1"
local-data: "aax-us-west.amazon-adsystem.com 60 IN A 10.10.10.1"
local-data: "admarvel.s3.amazonaws.com 60 IN A 10.10.10.1"
local-data: "campaign-tapad.s3.amazonaws.com 60 IN A 10.10.10.1"
local-data: "html5adkit.plusmo.s3.amazonaws.com 60 IN A 10.10.10.1"
local-data: "iacpromotion.s3.amazonaws.com 60 IN A 10.10.10.1"
local-data: "inneractive-assets.s3.amazonaws.com 60 IN A 10.10.10.1"
local-data: "strikeadcdn.s3.amazonaws.com 60 IN A 10.10.10.1"

doktornotor · Dec 6, 2016, 9:23 PM

Eh, stick something like


.s3.amazonaws.com

to the whitelist?

RonpfS · Dec 6, 2016, 10:35 PM

Did you use the "+" icon to whitelist s.amazon-adsystem.com? This will also whitelist any CNAME.

Or remove the leading "." and just put

s.amazon-adsystem.com

scorpious · Dec 6, 2016, 10:37 PM

I tried to enter that in the custom list, but it did not seem to have any affect.

digging into it further I turned off the DNSLB feed "someonewhocares" ad blocking. and Amazon android web service worked.

further down the list the check mark for Alexa white list was turned off. so when I checked that and restarted DNSLB. Amazon AWS was working, expect for pages that did not have ads "like order page" and few others, but not the home page.

so I made the following change to the custom white list in DNSLB

.amazonaws.com
.amazon-adsystem.com

and reran the UPDATE. Amazon AWS works like a charm. no issues.

I suppose I can consider this Thread SOLVED.

Thanks a lot for your help.

Ashish

![DNSBL Feeds - pfSense.jpg](/public/imported_attachments/1/DNSBL Feeds - pfSense.jpg)
![DNSBL Feeds - pfSense.jpg_thumb](/public/imported_attachments/1/DNSBL Feeds - pfSense.jpg_thumb)

bchow · Sep 14, 2017, 12:22 AM

This is an old thread, but I have this working as of 9/15/17 for the Amazon app. There was one one domain not showing up in the DNSBL logs/alerts that I found in the main firewall, and that was googleapis.com. Here is my current whitelist that allows plex, and the amazon android app to work.

.amazonaws.com
.amazon-adsystem.com
.amazon.com
.ssl.google-analytics.com
.ssl-google-analytics.l.google.com # CNAME for (ssl.google-analytics.com)
.www.google-analytics.com
.www-google-analytics.l.google.com # CNAME for (www.google-analytics.com)
.www.googleadservices.com
.plex.tv
.gravatar.com
.thetvdb.com
.themoviedb.com
.googleapis.com # 172.217.3.202 is important for amazon app to work
.1e100.net # cname? altname? for googleapis.com

thezfunk · Nov 27, 2017, 12:13 AM

Running into this exact problem and I tried everything I see in this thread to no avail. Do I have to refresh something when I add something to the whitelist?

silverhair · Dec 12, 2017, 5:05 PM

I used the posted whitelist above, and the Amazon app works.

@thezfunk, where did you add your whitelist?
Under Firewall -> pfBlockerNG -> DNSBL there are two options, the "Custom Domain Whitelist" and the "TLD Whitelist".
Which did you use?

After you've updated the list, you'll need to wait ten minutes for the cronjob to update the lists, or force the list to update manually. Did you wait long enough?

lordbob75 · Dec 12, 2017, 6:38 PM

I'm having this issue as well. Added the entire list posted a couple comments up by silverhair, but still closes the login screen constantly.

Silverhair asked about which whitelist, I thought it was the Custom Domain Whitelist. Should it be the TLD one instead?

Edit: Did not realize that the update didn't push changes and needed to reload it instead. Able to log into the app now. Thanks to Silverhair for the list. May have to try removing lines one at a time until it stops working though.

BSA66 · Jan 28, 2019, 11:19 AM

I was just running into a similar issue (Amazon Android App not working)

My shortly added Domain Whitelists are the following:

.c.amazon-adsystem.com # Amazon Advertisements
.d1ykf07e75w7ss.cloudfront.net # CNAME for (c.amazon-adsystem.com)
.fls-eu.amazon.de
.fls-eu.amazon.com # CNAME for (fls-eu.amazon.de)
.gateway.prod.eu-west-1.forester.a2z.com # CNAME for (fls-eu.amazon.de)
.endpoint.prod.eu-west-1.forester.a2z.com # CNAME for (fls-eu.amazon.de)
.mads.amazon-adsystem.com # Amazon Adsystem Mads
.amazon-adsystem.com # Amazon Adsystem MADS

As you see it is a little bit unsorted what I track back to my whitelisting flow... You should not just copy & paste it as in your region and on your phone / setup / yet added Domains on the Whitelist it may work or even not work.

The process is easy.

run your apps and keep about 5-10 secs after reload the DNSBL Alert Tab
check for potentially corresponding Domains
whitelist them**

** First I added them manually to the Domain Whitelist which did not work (I guess the CNAMEs might have been missing...)
It is uncomfortable to whitelist them automatically by the + Sign as every Alert Tab Reload takes Ages to reload...
But anyway, at least it was necessary for me to get the CNAMEs, too, as it did not seem to work without them.
BTW this is also the reason why the List seems to be so unsorted, I added several before the automatic initiated Alert Tab Reload (and maybe the hidden but initiated Reload-DNSBL for adding the new Entries) accomplished.

aaronhong13 · Feb 27, 2019, 2:14 AM

Not sure if this is still an ongoing issue, but posting incase someone else finds this thread with the same question.

Adding this fixed the app for me. No more "Something has gone wrong messages". If any other issues come up, I will update this post.

DNSBL Whitelist
.aan.amazon.com

viskalpiskal · Nov 9, 2019, 11:24 AM

Old thread, created an account to help others
from uk here, managed to fix it as per BSA66 suggestion, loading the app and looking at the DNSBL Alert tab for my phone

saw, z.moatads.com
and then whitelisted it
now have several whitelist domains
z.moatads.com # z.motads
www.z.moatads.com # z.motads
wildcard.moatads.com.edgekey.net # CNAME for (z.moatads.com)
e13136.g.akamaiedge.net # CNAME for (z.moatads.com)

Hopefully this will fix the problem for you.

jjneff · Jun 27, 2020, 5:55 PM

Hey all,
I read this somewhere else for a non-pfsense oriented fix. If your phone allows it, change the app settings to only allow it to use cell data. Obviously this doesn't help if you HAVE to use wifi, but it also doesn't help your network's security to whitelist all these url's for the sake of one device/app imo. I figured it would be a helpful consideration for those it may apply to.

bandit8623 · Nov 21, 2020, 5:40 PM

aan.amazon.com

is the 1 that needs to be added only to stop the uh oh in the amazon app

noplan · Nov 25, 2020, 7:45 AM

@bandit8623

true statement the only one needed to fix uh oh

aan.amazon.com

GorillaMitts · Jan 11, 2021, 1:56 AM

This post is deleted!

pulsartiger · Jul 16, 2021, 2:42 AM

I have this issue also with pfblocker and the Amazon app (Android). I whitelist the domains that I saw in the report log but I still have the dog screen come up stating "UH-OH Something went wrong on our end." What's odd is that this only happens when searching and it only happens when searching certain terms. Has anyone found the exact domains to whitelist? (aan.amazon.com did not do it for me)