Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Make Certificate Configurable

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 2 Posters 873 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FireFart
      last edited by

      Hi,
      would it be possible to make the certificate on the HTTPs server configurable (when blocking DNS requests)? You could either take a leaf certificate from the certificate manager or generate a new one on the fly using a configured CA and send the whole certificate chain along.
      This way the SSL errors would go away on machines that trust the custom ca when accessing a blocked site. Currently there is no way in trusting these errors to generate a smoother user experience and inform users what's going on.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        I'd rather not MITM and generate fake certs....

        In pfBlockerNG-devel, there is a new option to disable logging of domains and send the DNS request to 0.0.0.0, which will avoid the cert issue. So what you would do is make a new DNSBL Group and manually add the domains that are generating those cert issues to the DNSBL custom list. Set Logging to "disabled" and set the Order to Primary so that this group is processed first before the other DNSBL groups.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • F
          FireFart
          last edited by

          Thanks for the answer.
          The problem is I'm using many lists and I don't know which of the domains will cause errors in the future and it would be a painful job to move them by hand if it happens.
          One popular case is google analytics. If you have GA on a DNSBL (as it's almost on every list) and someone want's to access the admin console of GA, you are presented with a certificate error and it's hard for the user to determine what's going on under the hood.

          So if I send the request to 0.0.0.0 will it still be blocked? If I route all of my DNSBL to 0.0.0.0 will it work as before or are there any disadvantages?`

          BBcan177B 1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator @FireFart
            last edited by

            @firefart said in Make Certificate Configurable:

            So if I send the request to 0.0.0.0 will it still be blocked? If I route all of my DNSBL to 0.0.0.0 will it work as before or are there any disadvantages?`

            I would expect there to be a handful of domains that cause this issue... The domain you listed as one of them.

            When you use 0.0.0.0 it will block the domain (static zone in Unbound) but it will not keep track of the blocked events in the Reports/Alerts Tabs.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • F
              FireFart
              last edited by

              perfect thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.