How is this site bypassing pfBlocker (and Adblock)



  • Not sure where I should be digging further into this, but SlickDeals.net is somehow displaying ads from Google (I think?) when I am running pfBlocker and the Wipr adblocker on my local system. This is a recent change - it used to be "clean" loading. I'd normally just give it a pass, but the first time it happened I got a browser hijack ad - go figure.

    Mousing over the ad in the right column shows the link going to googleads.g.doubleclick.net - and when I go to ping that domain a terminal output gives what I expect when pfBlocker is working:

    PING googleads.g.doubleclick.net (10.10.10.1): 56 data bytes

    In the alerts tab of pfBlocker I see an entry for googleads.g.doubleclick.net, though it also has a list name of "no match" which seems odd.

    Any ideas?


  • Moderator

    @atlan said in How is this site bypassing pfBlocker (and Adblock):

    In the alerts tab of pfBlocker I see an entry for googleads.g.doubleclick.net, though it also has a list name of "no match" which seems odd.

    Maybe the CNAME is being blocked? Am going to add some code in the next release to check for CNAME blocks:

    drill @8.8.8.8 googleads.g.doubleclick.net
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 693
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; googleads.g.doubleclick.net. IN      A
    
    ;; ANSWER SECTION:
    googleads.g.doubleclick.net.    228     IN      CNAME   pagead46.l.doubleclick.net.
    pagead46.l.doubleclick.net.     228     IN      A       172.217.1.2
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 34 msec
    ;; SERVER: 8.8.8.8
    ;; WHEN: Sun Nov 25 16:23:53 2018
    ;; MSG SIZE  rcvd: 86
    


  • I've been digging into this further - this may fall outside of the scope of this pfSense package, but here is what I understand so far. This particular issue I am running into is from a specific anti Adblock technology. The tell is the "g00" part of the URL as a subdomain of the site you are visiting.

    The subdomain looks random other than the g00 portion...

    c-7npsfqifvt34x24dmjfoux2eobopwjtpsx2ejp.g00.slickdeals.net
    

    Is there a way to do a partial match in a blacklist on domains in pfBlockerNG?

    Some links with more information:


  • Moderator

    @atlan

    Not at the moment; however, when the Unbound Resolver python integration is added, we will be able to do regex blocking amongst many other new features.

    I have been waiting for the devs to add the python integration so that the package could easily integrate with the Resolver without unnecessary backend workarounds.