Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Microsoft Windows Update Blocked By Unknown Feed

    pfBlockerNG
    3
    6
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dma_pf
      last edited by

      I am being blocked, by an unknown feed, from reaching Microsoft's Windows Update site at this address download.windows.com In the image below you can see that pfb denied access:

      Screenshot2.jpg

      I've added download.windows.com to the DNSBL Whitelist and did a Force/Reload but keep getting the same result.

      I'm using pfb 2.2.5_23 on a pfsense 2.4.4_3 installation.

      BBcan177B 1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        well it is actually download.windowsupdate.com instead of download.windows.com

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • D
          dma_pf
          last edited by

          Thanks for pointing that out! Definitely a typo on my behalf. As shown in the picture above, download.windowsupdate.com is the correct address that is being blocked.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator @dma_pf
            last edited by

            @dma_pf
            Could be a CNAME that is blocked?

            drill @8.8.8.8 download.windowsupdate.com

            ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43023
;; flags: qr rd ra ; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; download.windowsupdate.com.  IN      A

;; ANSWER SECTION:
download.windowsupdate.com.     2621    IN      CNAME   2-01-3cf7-0009.cdx.cedexis.net.
2-01-3cf7-0009.cdx.cedexis.net. 124     IN      CNAME   fg.download.windowsupdate.com.c.footprint.net.
fg.download.windowsupdate.com.c.footprint.net.  114     IN      A       8.253.140.249
fg.download.windowsupdate.com.c.footprint.net.  114     IN      A       8.253.154.236
fg.download.windowsupdate.com.c.footprint.net.  114     IN      A       8.250.101.254
fg.download.windowsupdate.com.c.footprint.net.  114     IN      A       8.250.91.254
fg.download.windowsupdate.com.c.footprint.net.  114     IN      A       8.253.154.104

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 104 msec
;; SERVER: 8.8.8.8
;; WHEN: Fri Jul 26 20:41:37 2019
;; MSG SIZE  rcvd: 224

            See if these domains/CNAMES are in your Feeds:

            grep "download.windowsupdate.com" /var/db/pfblockerng/dnsbl/*
grep "cedexis.net" /var/db/pfblockerng/dnsbl/*
grep "fg.download.windowsupdate.com.c.footprint.net" /var/db/pfblockerng/dnsbl/*

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • D
              dma_pf
              last edited by

              Thanks for the help BBCan. Your drill and grep commands were a big help in identifying the issue. But fixing the issue is like playing a game of Wack-A-Mole.

              When I first ran a drill command on my router I got differnet results than you did. I did get a CNAME for cedexis.net but not for footprint.com. Instead I got another one for hwcdn.net.

              So I navigated to both of the cnames and confirmed that a feeds were blocking both of them. I went ahead and whitelisted both of the sites and things started working correctly.

              But then all of a sudden Microsoft update would again not work. I checked the pfblocker alerts and was again getting the blocked alert in the picture in my original post.

              So I decided to run a drill command and got the following result:

              ;; ANSWER SECTION:
download.windowsupdate.com.		1085	IN	CNAME	2-01-3cf7-0009.cdx.cedexis.net.
2-01-3cf7-0009.cdx.cedexis.net.		239	IN	CNAME	wu.azureedge.net.
wu.azureedge.net.			1150	IN	CNAME	wu.ec.azureedge.net.
wu.ec.azureedge.net.			299	IN	CNAME	wu.wpc.apr-52dd2.edgecastdns.net.
wu.wpc.apr-52dd2.edgecastdns.net.	299	IN	CNAME	hlb.apr-52dd2-0.edgecastdns.net.
hlb.apr-52dd2-0.edgecastdns.net.	299	IN	CNAME	cs11.wpc.v0cdn.net.
cs11.wpc.v0cdn.net.			3298	IN	A	72.21.81.240

              I didn't run a grep command for the new cnames but I assume that there would be one or more that where in my feeds.

              I did a bit of research on cedexis.net and could not find much info on it. But cedexis.com is owned by Citrix. Navigating to cedexis.com reroutes to this page https://www.citrix.com/products/citrix-intelligent-traffic-management/.

              Citrix has a product that they call Citrix Intelligent Traffic Management Service (which was developed by Cedexis, LLC before Citrix bought them out) which provides global load balancing services for internet traffic and content delivery. It appears to me that Microsoft is using Citrix's product to route users to Microsoft's content through the less congested route across the internet and they are doing this through cedexis.net.

              I think that's why I'm getting different drill results at different times and why Microsoft update was working for a while when I whitelisted the 2 domains in my feeds. But later on when cedexis.net rerouted traffic to other servers I was once again blocked because one of those new servers was in one of my feeds.

              This is just a theory on my part based on a limited knowledge networking. I'd appreciate it if those with much more knowledge than me can confirm if I'm correct, or on the right path. And if I am correct, then is there any way, other than checking each site that would show up in a drill command and manually whitelisting, to access Mcrosoft's update without pfBlocker triggering alerts?

              BBcan177B 1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator @dma_pf
                last edited by

                @dma_pf

                Start with which Feeds contain these domains blocking windows updates.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post