DNSBL - Blocking of iOS App Downloads



  • Can't seem to figure this one out.  With DNSBL enabled, I am unable to download / update iOS apps on any of my iOS devices.  Works fine with DNSBL disabled.  See attached image of the alert that gets generated in DNSBL.  What I can't figure out is which list is generating the block and even adding the domain to the whitelist doesn't resolve the issue.  Hovering over the 'plus' sign, says "This Domain is already in the DNSBL WhiteList" and it won't let me add it again.

    I guess I could disable every list until I figure out which one is causing the problem, but hoping someone has some tips  on an easier way of identifying which list is generating the block.  Also, would be good to better understand why it's still getting blocked even if it's defined in the WhiteList.  I also confirmed this is the only alert being generated when attempting to download/update iOS apps.
    ![DNSBL Alert.JPG](/public/imported_attachments/1/DNSBL Alert.JPG)
    ![DNSBL Alert.JPG_thumb](/public/imported_attachments/1/DNSBL Alert.JPG_thumb)



  • Not much information provided with only 1 alert! :o

    ; <<>> DiG 9.11.0-P3 <<>> iosapps.itunes.apple.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15500
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;iosapps.itunes.apple.com.	IN	A
    
    ;; ANSWER SECTION:
    iosapps.itunes.apple.com. 86399	IN	CNAME	iosapps.itunes.g.aaplimg.com.
    iosapps.itunes.g.aaplimg.com. 15 IN	A	17.253.11.201
    iosapps.itunes.g.aaplimg.com. 15 IN	A	17.253.11.203
    
    ;; Query time: 2278 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Wed May 17 19:18:51 EDT 2017
    ;; MSG SIZE  rcvd: 124
    

    So you might have to add the CNAMEs to Firewall / pfBlockerNG/ DNSBL / DNSBL Whitelist



  • Bingo!  Adding the CNAME entry to the white list resolved it.



  • When you click on the suppression icon, pfBlockerNG will Whitelist the domain and it's CNAMEs.  8)

    I you do the suppression directly in the DNSBL Whitelist, you have to find the CNAMEs and add them to the list.  ;)