shopify sites

jpvonhemel

I am wondering why pfblockerng is blocking shopify sites like clivecoffee.com and huckleberryroasters.com. Grep didn’t find any lists with these domains. I know i can whitelist, but really want to learn why it is happening.

Thanks
Jerold

johnpoz

And how do you know its blocking? what IP is it resolving too? Are you getting NX, Refused when you try and query it?

jpvonhemel

When I disable pfblockerng, or add the domain to the whitelist, the sites load. I am not at home now, I’ll get back on the other questions, I know I the ip they resolve to is the same, and that is from Shopify.

johnpoz

Well then they are either being blocked by a list your loading that you can grep for the domain. Or you by an geoIP block..

I show that clivecoffee being in CA

23.227.38.32

NogBadTheBad

@jpvonhemel said in shopify sites:

huckleberryroasters.com

AS details for AS62679 :-

aut-num: AS62679
as-name: ASN-SHOPIFY-1
descr: Shopify, Inc
descr: 150 Elgin St, 8th Floor
descr: Ottawa, ON K2P 1L4
descr: CA
import: from AS23352 accept ANY
import: from AS14244 accept ANY
import: from AS6461 accept ANY
import: from AS46887 accept ANY
import: from AS63408 accept ANY
import: from AS2914 accept ANY
export: to AS23352 announce AS62679
export: to AS14244 announce AS62679
export: to AS6461 announce AS62679
export: to AS46887 announce AS62679
export: to AS32787 announce AS62679
export: to AS63408 announce AS62679
export: to AS2914 announce AS62679
admin-c: SHOPI-ARIN
tech-c: SHOPI-ARIN
mnt-by: MNT-SHOPI-1
changed: peter.denitto@shopify.com 20170428
source: ARIN

IPv4 subnets for AS62679 :-

23.227.32.0/19
23.227.37.0/24
23.227.38.0/23
23.227.41.0/24
23.227.38.0/24
23.227.39.0/24
23.227.53.0/24
23.227.54.0/24
23.227.55.0/24
23.227.52.0/24
23.227.32.0/19
23.227.39.0/24
23.227.32.0/24
23.227.33.0/24
23.227.34.0/24
23.227.35.0/24
23.227.36.0/24
23.227.37.0/24
23.227.38.0/24
23.227.40.0/24
23.227.41.0/24
23.227.42.0/24
23.227.44.0/24
23.227.45.0/24
23.227.46.0/24
23.227.47.0/24
23.227.48.0/24
23.227.49.0/24
23.227.50.0/24
23.227.51.0/24
23.227.52.0/24
23.227.53.0/24
23.227.54.0/24
23.227.55.0/24
23.227.56.0/24
23.227.57.0/24
23.227.58.0/24
23.227.59.0/24
23.227.60.0/24
23.227.61.0/24
23.227.62.0/24
23.227.63.0/24

IPv6 subnets for AS62679 :-

2620:127:F000::/44
2620:127:F000::/44
2620:127:F000::/48
2620:127:F001::/48
2620:127:F002::/48
2620:127:F003::/48
2620:127:F004::/48
2620:127:F005::/48
2620:127:F006::/48
2620:127:F007::/48
2620:127:F008::/48
2620:127:F009::/48
2620:127:F00A::/48
2620:127:F00B::/48
2620:127:F00C::/48
2620:127:F00D::/48
2620:127:F00E::/48
2620:127:F00F::/48
2620:127:F000::/47
2620:127:F002::/47
2620:127:F004::/47
2620:127:F006::/47
2620:127:F008::/47
2620:127:F00A::/47
2620:127:F00C::/47
2620:127:F00E::/47
2620:127:F000::/46
2620:127:F004::/46
2620:127:F008::/46
2620:127:F00C::/46
2620:127:F000::/45
2620:127:F008::/45

Monday, 6 July 2020 at 19:43:46 British Summer Time

NogBadTheBad

Have a look at /var/log/pfblockerng/dnsbl.log

jpvonhemel

Hi @johnpoz I mentioned that grep didn’t return anything for either domain and I don’t have any geo ip blocks loaded at this time. Tomorrow I will take a look at the settings again and see if anything stands out.

Thank you,
Jerold

NogBadTheBad

@jpvonhemel

You'll see what feeds are blocking it if you follow my screenshots.

Gertjan

@jpvonhemel said in shopify sites:

I mentioned that grep didn’t return

Please show you grep query ?

jpvonhemel

This post is deleted!

jpvonhemel

Hello,

I ran through the suggestions above and here is what I have figured out.

Here is my grep output:

Here is the dnsbl name search output:

What is odd is both names resolve to the same ip address. When I used the filter for this ip address, I found the list involved.

Hoping I need to whitelist 23.227.38.32 or myshopify.com. It would stink to have to whitelist every domaine that resolves to this address.

Thanks for helping me!Any other thoughts or suggestions?

Jerold

jpvonhemel

I tried to whitelist the domains and reloaded, but the sites are still blocked. Here is a snipped of what I whitelisted on the reload output. Not sure where to go from here but would really love to learn!

Thanks,

Jerold

Gertjan

Initially, when a domain name is 'blacklisted', the resolver hands over the "10.10.10.1" IP, as set up in the settings.
When you whitelist an IP or domain, the resolver 'cache' will get modified .... but the DNS cache in your device (PC, phone ?) will not, it will stay valid for some time, still pointing to 10.10.10.1.

That's why Windows has a command like

ipconfig /flushdns

so that the domain get resolved again, and this time it will resolve to the 'real' IP.

jpvonhemel

If the blocked shopify sites are being blocked with DNSBL and a feed, shouldn't I be seeing a page like this?

I am wondering if this isn't an ip block, because no pfblockerngpage is returned.

jpvonhemel

ipconfig /flushdns ran at the command line, but did not allow the page to resolve correctly.

jdeloach

@jpvonhemel said in shopify sites:

If the blocked shopify sites are being blocked with DNSBL and a feed, shouldn't I be seeing a page like this?

I am wondering if this isn't an ip block, because no pfblockerngpage is returned.

This is what I would expect to get if pfBlockerNG blocked a website that was on block list that I was using. This is the default block page you get when a website is blocked by pfblocker.

jpvonhemel

My blocked sites, clivecoffee.com and huckleberrycoffee.com do not display the pfblocker black and red screen on load, they simply return this. I am thinking the ipv4 ip address is blocked, and not the domain. I am trying to create an alias whitelist with the ip address, but it does not seem to fix the issue.

jdeloach

@jpvonhemel said in shopify sites:

My blocked sites, clivecoffee.com and huckleberrycoffee.com do not display the pfblocker black and red screen on load, they simply return this. I am thinking the ipv4 ip address is blocked, and not the domain. I am trying to create an alias whitelist with the ip address, but it does not seem to fix the issue.

If you haven't already done so, you might give this doc a read as it explains a lot about how to configure DNSBL on pfBlockerNG. It's a little dated but for the most part it is still accurate https://linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/.

jpvonhemel

@johnpoz said in shopify sites:

And how do you know its blocking? what IP is it resolving too? Are you getting NX, Refused when you try and query it?

Hi John Poz,

I'm sorry, but I don't know what you mean by NX, refused. Would you mind explaining this to me. I would like to learn this.

Thanks,

Jerold

jpvonhemel

If you haven't already done so, you might give this doc a read as it explains a lot about how to configure DNSBL on pfBlockerNG. It's a little dated but for the most part it is still accurate https://linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/.

Thanks, I will take a look