Cert error - tracker.h3x.eu



  • Using this list in DNSBL https://tracker.h3x.eu/api/sites_1month.php I am getting cert errors on certain sites. For example I can't access github if using this list as it gives the "Your connection is not secure" message. Disable the list and it works fine. Searching the list shows entries like"****://github.com/gentilkiwi/mimikatz/releases/download/2.0.0-alpha-20141213/mimikatz_trunk.7z". Why would this be causing a cert error for all of github though?



  • Sounds like it might be related to the same issue as here https://forum.pfsense.org/index.php?topic=124945.0
    However I am not using safari, I'm using firefox. It actually does the samething in IE and edge browsers.


  • Moderator

    When you try to browse to an HTTPS site that is being blocked by DNSBL, the browser can throw a cert error, as the DNSBL Certificate doesn't match the Domain name being requested. DNSBL is not attempting to MITM these blocked domains as its sole purpose is to quickly have the browser drop the request for these blocked domains.

    Some of these feeds post URLs that contain malware, however, some of these sites are also considered false positive…. If you never have any use to goto dropbox or github, then you can safely keep those Domains listed in DNSBL. However, if these sites are required for your use, you will need to add them to the DNSBL Whitelist. Click on the "+" DNSBL Whitelist in the Alerts tab to have it automatically whitelist it for you...

    The next version of the package will have an option to add all or certain user selected domains to a custom DNSBL list that will utilize 0.0.0.0 instead of the DNSBL VIP. This will just drop those DNS requests without logging, and without the Certificate Failure notice.



  • Makes sense. Thanks for the explanation and all the work you put into this.

    am I correct in assuming it's not possible to block say github.com/gentilkiwi/mimikatz/releases/download/2.0.0-alpha-20141213/ but not block github.com itself?


  • Moderator

    @justsomeguy6575:

    Makes sense. Thanks for the explanation and all the work you put into this.

    am I correct in assuming it's not possible to block say github.com/gentilkiwi/mimikatz/releases/download/2.0.0-alpha-20141213/ but not block github.com itself?

    No DNS Filtering (DNSBL) will block the full domain or sub-domain DNS resolution… You would have to use a Proxy to filter by a URL.