Pfblocker (DNSBL) and android amazon app (android web viewer) issue "SOLVED"



  • Hi all,

    I seem to have a issue loading amazon via the android app. the app loads up, but does not display content, it briefly displays the amazon content, but then loads up with an update android system webview error.

    I have tried to uninstall the webview and reinstall it. still doesn't work. Amazon app works fine on LTE/other wifi networks.

    pfsense is strictly Ethernet, the LAN is connected via a access point.

    I do not have issues running amazon app running via kindle or windows 10, its only on android.

    I have pfblocker and snort running.

    From what I have gathered is, the DNSBL when enabled prevents the android web viewer to display content, when I disable DNSBL it works. is there some kind of a whitelist or parameter that needs to be entered to get this working?
    DNSl BL has the usual easylist applied and Alexa whitelist with IP firewall setting denied to both.

    any suggestions on how to setup pfsense to get amazon working again?

    thanks

    ashish



  • What does the alerts tab for pfBlockerNG show?  Scroll down to the bottom and DNSBL alerts will be visible, click the + sign next to a blocked item to add it to the whitelist.



  • I found the following info for the Alert, and added the info to white list. Ran Update/Cron/Reload.

    I still have the issue.

    ![Firewall_ pfBlockerNG_ Alerts.jpg](/public/imported_attachments/1/Firewall_ pfBlockerNG_ Alerts.jpg)
    ![Firewall_ pfBlockerNG_ Alerts.jpg_thumb](/public/imported_attachments/1/Firewall_ pfBlockerNG_ Alerts.jpg_thumb)
    ![Firewall_ pfBlockerNG_ DNSBL.jpg](/public/imported_attachments/1/Firewall_ pfBlockerNG_ DNSBL.jpg)
    ![Firewall_ pfBlockerNG_ DNSBL.jpg_thumb](/public/imported_attachments/1/Firewall_ pfBlockerNG_ DNSBL.jpg_thumb)


  • Banned

    Post the output of

    
    grep amazon /var/unbound/pfb_dnsbl.conf
    
    


  • local-data: "amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "amazon-cornerstone.com 60 IN A 10.10.10.1"
    local-data: "amazonily.com 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.ca 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.co.uk 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.com 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.de 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.es 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.fr 60 IN A 10.10.10.1"
    local-data: "assoc-amazon.it 60 IN A 10.10.10.1"
    local-data: "aan.amazon.com 60 IN A 10.10.10.1"
    local-data: "aax-eu.amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "aax-us-east.amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "aax-us-pdx.amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "adagiobanner.s3.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "dra.amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "fls-na.amazon.com 60 IN A 10.10.10.1"
    local-data: "ir-na.amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "mobileanalytics.us-east-1.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "mobileanalytics.us-east-2.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "mobileanalytics.us-west-1.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "mobileanalytics.us-west-2.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "rcm-images.amazon.com 60 IN A 10.10.10.1"
    local-data: "rcm-it.amazon.it 60 IN A 10.10.10.1"
    local-data: "sdogiu.bestamazontips.com 60 IN A 10.10.10.1"
    local-data: "uedata.amazon.com 60 IN A 10.10.10.1"
    local-data: "aax-us-west.amazon-adsystem.com 60 IN A 10.10.10.1"
    local-data: "admarvel.s3.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "campaign-tapad.s3.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "html5adkit.plusmo.s3.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "iacpromotion.s3.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "inneractive-assets.s3.amazonaws.com 60 IN A 10.10.10.1"
    local-data: "strikeadcdn.s3.amazonaws.com 60 IN A 10.10.10.1"


  • Banned

    Eh, stick something like

    
    .s3.amazonaws.com
    
    

    to the whitelist?



  • Did you use the "+" icon to whitelist s.amazon-adsystem.com? This will also whitelist any CNAME.

    Or remove the leading "." and just put

    s.amazon-adsystem.com
    


  • I tried to enter that in the custom list, but it did not seem to have any affect.

    digging into it further I turned off the DNSLB feed "someonewhocares" ad blocking. and Amazon android web service worked.

    further down the list the check mark for Alexa white list was turned off. so when I checked that and restarted DNSLB. Amazon AWS was working, expect for pages that did not have ads "like order page" and few others, but not the home page.

    so I made the following change to the custom white list in DNSLB

    .amazonaws.com
    .amazon-adsystem.com

    and reran the UPDATE. Amazon AWS works like a charm. no issues.

    I suppose I can consider this Thread SOLVED.

    Thanks a lot for your help.

    Ashish

    ![DNSBL Feeds - pfSense.jpg](/public/imported_attachments/1/DNSBL Feeds - pfSense.jpg)
    ![DNSBL Feeds - pfSense.jpg_thumb](/public/imported_attachments/1/DNSBL Feeds - pfSense.jpg_thumb)



  • This is an old thread, but I have this working as of 9/15/17 for the Amazon app.  There was one one domain not showing up in the DNSBL logs/alerts that I found in the main firewall, and that was googleapis.com.  Here is my current whitelist that allows plex, and the amazon android app to work.

    .amazonaws.com
    .amazon-adsystem.com
    .amazon.com
    .ssl.google-analytics.com
    .ssl-google-analytics.l.google.com # CNAME for (ssl.google-analytics.com)
    .www.google-analytics.com
    .www-google-analytics.l.google.com # CNAME for (www.google-analytics.com)
    .www.googleadservices.com
    .plex.tv
    .gravatar.com
    .thetvdb.com
    .themoviedb.com
    .googleapis.com # 172.217.3.202 is important for amazon app to work
    .1e100.net # cname? altname? for googleapis.com



  • Running into this exact problem and I tried everything I see  in this thread to no avail.  Do I have to refresh something when I add something to the whitelist?



  • I used the posted whitelist above, and the Amazon app works.

    @thezfunk, where did you add your whitelist? 
    Under Firewall -> pfBlockerNG -> DNSBL there are two options, the "Custom Domain Whitelist" and the "TLD Whitelist". 
    Which did you use?

    After you've updated the list, you'll need to wait ten minutes for the cronjob to update the lists, or force the list to update manually.  Did you wait long enough?



  • I'm having this issue as well.  Added the entire list posted a couple comments up by silverhair, but still closes the login screen constantly.

    Silverhair asked about which whitelist, I thought it was the Custom Domain Whitelist.  Should it be the TLD one instead?

    Edit:  Did not realize that the update didn't push changes and needed to reload it instead.  Able to log into the app now.  Thanks to Silverhair for the list.  May have to try removing lines one at a time until it stops working though.



  • I was just running into a similar issue (Amazon Android App not working)

    My shortly added Domain Whitelists are the following:

    .c.amazon-adsystem.com # Amazon Advertisements
    .d1ykf07e75w7ss.cloudfront.net # CNAME for (c.amazon-adsystem.com)
    .fls-eu.amazon.de
    .fls-eu.amazon.com # CNAME for (fls-eu.amazon.de)
    .gateway.prod.eu-west-1.forester.a2z.com # CNAME for (fls-eu.amazon.de)
    .endpoint.prod.eu-west-1.forester.a2z.com # CNAME for (fls-eu.amazon.de)
    .mads.amazon-adsystem.com # Amazon Adsystem Mads
    .amazon-adsystem.com # Amazon Adsystem MADS

    As you see it is a little bit unsorted what I track back to my whitelisting flow... You should not just copy & paste it as in your region and on your phone / setup / yet added Domains on the Whitelist it may work or even not work.

    The process is easy.

    • run your apps and keep about 5-10 secs after reload the DNSBL Alert Tab
    • check for potentially corresponding Domains
    • whitelist them**

    ** First I added them manually to the Domain Whitelist which did not work (I guess the CNAMEs might have been missing...)
    It is uncomfortable to whitelist them automatically by the + Sign as every Alert Tab Reload takes Ages to reload...
    But anyway, at least it was necessary for me to get the CNAMEs, too, as it did not seem to work without them.
    BTW this is also the reason why the List seems to be so unsorted, I added several before the automatic initiated Alert Tab Reload (and maybe the hidden but initiated Reload-DNSBL for adding the new Entries) accomplished.



  • Not sure if this is still an ongoing issue, but posting incase someone else finds this thread with the same question.

    Adding this fixed the app for me. No more "Something has gone wrong messages". If any other issues come up, I will update this post.

    DNSBL Whitelist
    .aan.amazon.com


Log in to reply