Page works but refresh or “next page” hits DNSBL - only on iPad
-
Okay I have a very weird issue. I have pfBlockerNG installed and use a few feeds to block the most obvious offenders :-)
However: I use www.tomshardware.com or www.anandtech.com quite a lot, and they work just fine on my PC - everytime and all the time.
On my Ipad they also work when i first access them, and if i click on subpage links within the first minute or two that works just fine too. But if I read for several minutes any click to a subpage will be blocked and I’m presented with my DSNBL certificate error (I get blocked by DNSBL). This is only a problem on my iPad, and it only started happening after I upgraded to pfBlockerNG_Devel to get the included feeds structure.
I have included a screenshot of my DNSBL alerts that shows DNSBL blocking those sites, but why is everything unknown on those alerts?PS: I have also whitelisted the sites, but that makes no difference.
Any ideas?
-Keyser
-
What browser are you using on the Ipad? Try an alternative and see if its reproducible.
When you see "unknown", it means that Domain is not in any Blocklists, but something on the Ipad is telling those two sites to resolve to the DNSBL VIP (10.10.10.1).
A quick test would be to run a "host -t A example.com" on the pfSense box and see what it resolves to. -
The issue is reproducible in Edge on my iPad. I have also tried using a DNS resolver app on my iPad, and whenever the issue is present in the browser, resolving www.anandtech.com goes to my DNSBL Vip Address. So wtf is going on?
I cannot seem to get the command “host -t A www.anandtech.com” to fail to resolve to an akamai address on the pfsense itself.
So it would seem it’s an iPad/cache issue allthough it’s VERY VERY strange this started happening the very day I upgraded my pfSense to an SG-1100 and installed pfBlockerNG_devel instead of the stable release.
PS: I noticed that both tomshardware and anandtech resolves to the same akamai IP address which would suggest thats the common ground they share.
Btw: It happens on my iPhone as well, so it seems it happens on all iOS devices.
Any ideas?
-
@keyser said in Page works but refresh or “next page” hits DNSBL - only on iPad:
cannot seem to get the command “host -t A www.anandtech.com” to fail to resolve to an akamai address on the pfsense itself.
DNSBL is blocking www.anandtech.com by the looks of things, but it doesn't appear to be matching a feed.
mac-pro:~ andy$ host -t A www.anandtech.com
www.anandtech.com is an alias for www.anandtech.com.edgekey.net.
www.anandtech.com.edgekey.net is an alias for e1151.e12.akamaiedge.net.
e1151.e12.akamaiedge.net has address 2.19.145.189
mac-pro:~ andy$A capture of DNS while trying to view a page:-
172.16.255.2 is my DBNSBL VIP
-
Thanks Andy - That was a valuable clue.
I did a packetcapture, and indeed the iPad first resolves www.anandtech.com and recieves the CNAME and IP for the page which it uses and loads the page.
After a minute when i click a subpage, the iPad directly tries to resolve the CNAME record (e1151.e12.akamaiedge.net) which goes to my DNSBL. So that explains why this i happening. Two things however:1: My PC has a different behaviour - after a minute it still tries to resolve www.anandtech.com again instead of directly going for the CNAME. Is that just different OS behavior?
2: What is the best way to “mitigate” this issue? Whitelist the specific akamai CNAME which seems like a very temporary solution, or whitelist akamai more in general? It seems this akamai content cache is blocked by the SBL_ADs feed in pfBlockerNG -
[2.4.4-RELEASE][admin@pfsense]/var/unbound: grep edgekey * pfb_dnsbl.conf:local-data: "79423.analytics.edgekey.net 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "ma180-r.analytics.edgekey.net 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "ma728-r.analytics.edgekey.net 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "ma156-r.analytics.edgekey.net 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "analytics.edgekey.net 60 IN A 172.16.255.2" [2.4.4-RELEASE][admin@pfsense]/var/unbound: grep anandtech * pfb_dnsbl.conf:local-data: "tracker.anandtech.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "dynamic1.anandtech.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "dynamic2.anandtech.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "anandtechverce.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www.anandtechverce.com 60 IN A 172.16.255.2" pfb_dnsbl.tsp:local-zone: "anandtechverce.com" redirect local-data: "anandtechverce.com 60 IN A 172.16.255.2" 2.4.4-RELEASE][admin@pfsense]/var/unbound: grep tomshardware * pfb_dnsbl.conf:local-data: "tomshardware.fr.intellitxt.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "tomshardware.se.intellitxt.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "tomshardware.us.intellitxt.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "tracking.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www1.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www10.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www11.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www12.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www13.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www14.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www15.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www2.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www3.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www4.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www5.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www6.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www7.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www8.ad.tomshardware.com 60 IN A 172.16.255.2" pfb_dnsbl.conf:local-data: "www9.ad.tomshardware.com 60 IN A 172.16.255.2" [2.4.4-RELEASE][admin@pfsense]/var/unbound: -
I can't figure out what you are suggesting in your post (it's only a screendump of a search in unbound of all the DNSBL entries containing anandtech/tomshardware).
Removing those entries will not solve my problem. On subpages/clicks i do, iOS has decided to directly resolve the e1151.e12.akamaiedge.net A record it was given as a CNAME when it initially asked for www.anandtech.com.
What it should do is like my PC: It should continue to resolve www.anandtech.com and use the IP it is given (along with the info that anandtech is a CNAME).
It is www.anandtech.com I'm visiting after all....So to fix this (Until Apple behaves better) I have to make sure the e1151.e12.akamai.net A record does not get resolved to my DNSBL VIP address.
-
It's not an Apple issue it's something the server is doing, if you disable DNSBL everything works.
I even tried changing the User Agent without much luck.
The config from pfb_dnsbl.conf is created when pfBlocker does an update NOT when a client views a page.
-
Well yes, ofcourse it works if I disable DNSBL, and it also works if I whitelist e1151.e12.akamaiedge.net (which is my current workaround).
I know pfb_dnsbl.conf is created at update time, but currently the akamai entry is included in the config because it is present in the SBL_ADs feed (Hence my need to whitelist it).
So I still don’t quite get what you are reffering to - as far as I can tell it is an Apple issue because iOS the second time around decides to lookup the original A record (akamai) for which www.anandtech.com is a CNAME. It seems my PC continues to lookup www.anandtech.com.
