Microsoft Windows Update Blocked By Unknown Feed
I am being blocked, by an unknown feed, from reaching Microsoft's Windows Update site at this address download.windows.com In the image below you can see that pfb denied access:
I've added download.windows.com to the DNSBL Whitelist and did a Force/Reload but keep getting the same result.
I'm using pfb 2.2.5_23 on a pfsense 2.4.4_3 installation.
well it is actually download.windowsupdate.com instead of download.windows.com
Thanks for pointing that out! Definitely a typo on my behalf. As shown in the picture above, download.windowsupdate.com is the correct address that is being blocked.
Could be a CNAME that is blocked?
drill @220.127.116.11 download.windowsupdate.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43023 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; download.windowsupdate.com. IN A ;; ANSWER SECTION: download.windowsupdate.com. 2621 IN CNAME 2-01-3cf7-0009.cdx.cedexis.net. 2-01-3cf7-0009.cdx.cedexis.net. 124 IN CNAME fg.download.windowsupdate.com.c.footprint.net. fg.download.windowsupdate.com.c.footprint.net. 114 IN A 18.104.22.168 fg.download.windowsupdate.com.c.footprint.net. 114 IN A 22.214.171.124 fg.download.windowsupdate.com.c.footprint.net. 114 IN A 126.96.36.199 fg.download.windowsupdate.com.c.footprint.net. 114 IN A 188.8.131.52 fg.download.windowsupdate.com.c.footprint.net. 114 IN A 184.108.40.206 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 104 msec ;; SERVER: 220.127.116.11 ;; WHEN: Fri Jul 26 20:41:37 2019 ;; MSG SIZE rcvd: 224
See if these domains/CNAMES are in your Feeds:
grep "download.windowsupdate.com" /var/db/pfblockerng/dnsbl/* grep "cedexis.net" /var/db/pfblockerng/dnsbl/* grep "fg.download.windowsupdate.com.c.footprint.net" /var/db/pfblockerng/dnsbl/*
Thanks for the help BBCan. Your drill and grep commands were a big help in identifying the issue. But fixing the issue is like playing a game of Wack-A-Mole.
When I first ran a drill command on my router I got differnet results than you did. I did get a CNAME for cedexis.net but not for footprint.com. Instead I got another one for hwcdn.net.
So I navigated to both of the cnames and confirmed that a feeds were blocking both of them. I went ahead and whitelisted both of the sites and things started working correctly.
But then all of a sudden Microsoft update would again not work. I checked the pfblocker alerts and was again getting the blocked alert in the picture in my original post.
So I decided to run a drill command and got the following result:
;; ANSWER SECTION: download.windowsupdate.com. 1085 IN CNAME 2-01-3cf7-0009.cdx.cedexis.net. 2-01-3cf7-0009.cdx.cedexis.net. 239 IN CNAME wu.azureedge.net. wu.azureedge.net. 1150 IN CNAME wu.ec.azureedge.net. wu.ec.azureedge.net. 299 IN CNAME wu.wpc.apr-52dd2.edgecastdns.net. wu.wpc.apr-52dd2.edgecastdns.net. 299 IN CNAME hlb.apr-52dd2-0.edgecastdns.net. hlb.apr-52dd2-0.edgecastdns.net. 299 IN CNAME cs11.wpc.v0cdn.net. cs11.wpc.v0cdn.net. 3298 IN A 18.104.22.168
I didn't run a grep command for the new cnames but I assume that there would be one or more that where in my feeds.
I did a bit of research on cedexis.net and could not find much info on it. But cedexis.com is owned by Citrix. Navigating to cedexis.com reroutes to this page https://www.citrix.com/products/citrix-intelligent-traffic-management/.
Citrix has a product that they call Citrix Intelligent Traffic Management Service (which was developed by Cedexis, LLC before Citrix bought them out) which provides global load balancing services for internet traffic and content delivery. It appears to me that Microsoft is using Citrix's product to route users to Microsoft's content through the less congested route across the internet and they are doing this through cedexis.net.
I think that's why I'm getting different drill results at different times and why Microsoft update was working for a while when I whitelisted the 2 domains in my feeds. But later on when cedexis.net rerouted traffic to other servers I was once again blocked because one of those new servers was in one of my feeds.
This is just a theory on my part based on a limited knowledge networking. I'd appreciate it if those with much more knowledge than me can confirm if I'm correct, or on the right path. And if I am correct, then is there any way, other than checking each site that would show up in a drill command and manually whitelisting, to access Mcrosoft's update without pfBlocker triggering alerts?
Start with which Feeds contain these domains blocking windows updates.