Microsoft Windows Update Blocked By Unknown Feed

  • I am being blocked, by an unknown feed, from reaching Microsoft's Windows Update site at this address In the image below you can see that pfb denied access:


    I've added to the DNSBL Whitelist and did a Force/Reload but keep getting the same result.

    I'm using pfb 2.2.5_23 on a pfsense 2.4.4_3 installation.

  • LAYER 8

    well it is actually instead of

  • Thanks for pointing that out! Definitely a typo on my behalf. As shown in the picture above, is the correct address that is being blocked.

  • Moderator

    Could be a CNAME that is blocked?

    drill @

    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43023
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
    ;;  IN      A
    ;; ANSWER SECTION:     2621    IN      CNAME 124     IN      CNAME  114     IN      A  114     IN      A  114     IN      A  114     IN      A  114     IN      A
    ;; Query time: 104 msec
    ;; SERVER:
    ;; WHEN: Fri Jul 26 20:41:37 2019
    ;; MSG SIZE  rcvd: 224

    See if these domains/CNAMES are in your Feeds:

    grep "" /var/db/pfblockerng/dnsbl/*
    grep "" /var/db/pfblockerng/dnsbl/*
    grep "" /var/db/pfblockerng/dnsbl/*

  • Thanks for the help BBCan. Your drill and grep commands were a big help in identifying the issue. But fixing the issue is like playing a game of Wack-A-Mole.

    When I first ran a drill command on my router I got differnet results than you did. I did get a CNAME for but not for Instead I got another one for

    So I navigated to both of the cnames and confirmed that a feeds were blocking both of them. I went ahead and whitelisted both of the sites and things started working correctly.

    But then all of a sudden Microsoft update would again not work. I checked the pfblocker alerts and was again getting the blocked alert in the picture in my original post.

    So I decided to run a drill command and got the following result:

    ;; ANSWER SECTION:		1085	IN	CNAME		239	IN	CNAME			1150	IN	CNAME			299	IN	CNAME	299	IN	CNAME	299	IN	CNAME			3298	IN	A

    I didn't run a grep command for the new cnames but I assume that there would be one or more that where in my feeds.

    I did a bit of research on and could not find much info on it. But is owned by Citrix. Navigating to reroutes to this page

    Citrix has a product that they call Citrix Intelligent Traffic Management Service (which was developed by Cedexis, LLC before Citrix bought them out) which provides global load balancing services for internet traffic and content delivery. It appears to me that Microsoft is using Citrix's product to route users to Microsoft's content through the less congested route across the internet and they are doing this through

    I think that's why I'm getting different drill results at different times and why Microsoft update was working for a while when I whitelisted the 2 domains in my feeds. But later on when rerouted traffic to other servers I was once again blocked because one of those new servers was in one of my feeds.

    This is just a theory on my part based on a limited knowledge networking. I'd appreciate it if those with much more knowledge than me can confirm if I'm correct, or on the right path. And if I am correct, then is there any way, other than checking each site that would show up in a drill command and manually whitelisting, to access Mcrosoft's update without pfBlocker triggering alerts?

  • Moderator


    Start with which Feeds contain these domains blocking windows updates.

Log in to reply