How to unblock duckduckgo and find why it's being blocked.

mrtumnus

@johnpoz said in How to unblock duckduckgo and find why it's being blocked.:

Are you trying to say if you create a cname via a local-data: entry in unbound the client will not resolve it correctly? That is true because clients like your windows box is stupid, that is not a problem with unbound perse

Yes, that's what I'm saying. I realize an example would have been helpful. I was using not only Windows tools, but also some open source ones like dig (presuming that the unholy cygwin doesn't entirely rely on Windows DNS - maybe it does?). In addition, the Net Analyzer app on my phone only retrieved a CNAME record, no A or AAAA, and ping fails.

The entry in pfblockerng is:

local-data: "duckduckgo.com IN CNAME safe.duckduckgo.com"

Are you suggesting that this results in successful DNS resolution on some clients? I'll have to try with dig oi a *nix environment.

mrtumnus

dig-ging on a nix box produces the same result - no DNS resolution via browser, ping, etc. So, this is not a Windows problem.

I took a look at what NextDNS does for its SafeSearch redirect. Here's the result:

$ dig duckduckgo.com

; <<>> DiG 9.11.9 <<>> duckduckgo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37077
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;duckduckgo.com.                        IN      A

;; ANSWER SECTION:
duckduckgo.com.         300     IN      CNAME   safe.duckduckgo.com.
safe.duckduckgo.com.    300     IN      A       40.89.244.237

;; Query time: 38 msec
;; SERVER: 192.168.77.71#53(192.168.77.71)
;; WHEN: Fri Jun 10 11:54:41 EDT 2022
;; MSG SIZE  rcvd: 67

It would be great if we could get unbound to query the CNAME and provide the result as an A record, but from everything I'm reading it won't.

Tom8

I had the same problem.
With duckduckgo.com in the DNSBL whitelist it didn´t work, so I just added www.duckduckgo.com to the list.
Now it,s running.

BBcan177

I have made a test file to hopefully address this issue. If it can be tested and reported back, will get this in the next upcoming release.

Change here:
https://gist.github.com/BBcan177/b95c2d9f5e78cf8ed902139dff600749/revisions

From the Shell or pfSense Diag/Command Prompt:

cp /var/unbound/pfb_unbound.py /var/unbound/pfb_unbound.py.bk

curl -o /var/unbound/pfb_unbound.py "https://gist.githubusercontent.com/BBcan177/b95c2d9f5e78cf8ed902139dff600749/raw/pfb_unbound.py"

Follow that with a Restart of Unbound. Might need to clear the OS and Browser cache.

mrtumnus

@bbcan177 said in How to unblock duckduckgo and find why it's being blocked.:

I have made a test file to hopefully address this issue. If it can be tested and reported back, will get this in the next upcoming release.

What difference should I expect the change to make? I'm not seeing any resolution of the CNAME in a dig query.

Looking at the changes, I'm confused what line 1181 is about:

                elif isSafeSearch['A'] == 'cname':
why this? >>>       if isSafeSearch['AAAA'] is not None and isSafeSearch['AAAA'] != '':
                        if q_type == RR_TYPE_AAAA:

Why does an AAAA element of isSafeSearch[] need to exist? It is not checked for any of the if/else sibling conditions. Could this be bypassing the CNAME handling?

BBcan177

@mrtumnus
The /var/unbound/pfb_py_ss.txt is formatted like:

duckduckgo.com,cname,safe.duckduckgo.com
www.duckduckgo.com,cname,safe.duckduckgo.com
pixabay.com,cname,safesearch.pixabay.com
www.pixabay.com,cname,safesearch.pixabay.com
yandex.ru,213.180.193.56,
www.yandex.ru,213.180.193.56,

When the ss file is loaded it records 'cname' in the A field, and the acutal CNAME in the AAAA field.

safeSearchDB[row[0]] = {'A': row[1], 'AAAA': row[2]}

https://gist.github.com/BBcan177/b95c2d9f5e78cf8ed902139dff600749#file-pfb_unbound-py-L335

I am short on time today, but shoot me an email to bbcan177@gmail.com and I try to look at it over the weekend.

mrtumnus

@bbcan177 I suppose this change might fix the issue with duckduckgo being blocked entirely? I misunderstood and thought you were addressing the CNAME resolution issue, but that is an issue with Unbound itself (I think).

I can confirm that duckduckgo does load properly now.

Ir0nsh007er

This post is deleted!

Ir0nsh007er

Same probleme here.. it's already fix or not?

Gertjan

@Ir0nsh007er

If your still using a very old version of pfBlocker from before October 2022, then no.
Because you didn't update/upgrade.

If you did upgrade : then yes, fixed :

@mrtumnus said in How to unblock duckduckgo and find why it's being blocked.:

I can confirm that duckduckgo does load properly now.