Disable IDN Blocking

dmds

can't turn off IDN blocking.
option is unchecked.

Spoiler

BBcan177

@dmds
Which version are you using? That is an old block page?
Update to the latest v3.0.0_7 and see how that goes.

dmds

@bbcan177
I tried 3.0.0_3 - 3.0.0_7

dmds

if i disable all DNSBL groups in the settings, then IDNs are not blocked.
if i enable at least one group even with one address (not IDN), then all IDNs are blocked

and the problem is with python mode only

RonpfS

@dmds
Try F5, or CTRL-F5 to refresh the tab.

Try with another browser.

Save DNSBL Settings, then change another setting like HSTS mode, Save DNSBL Settings, put back HSTS, Save DNSBL Settings, Force Update, Force Reload All.

Do you see any changes in the IDN Blocking setting during those manipulations ?

dmds

@ronpfs
i tried many browsers and workstaions.
"ipconfig /flushdns" doesn't help
other pfsense instance have the same problem

for example IDN - xn--80adxhks.xn--p1ai
it resolves to the address 172.16.172.15

linux

pfsense

RonpfS

@dmds F5, or CTRL-F5 to refresh the pfBlockerNG / DNSBL tab.

Once you tested changing HSTS settings, can you change IDN Blocking, Save DNSBL setting, Force Update, Force Reload All, invert IDN Blocking , Save, Force Update , Force Reload All.

The problem is in pfblockerNG, so work on pfBlockerNG DNSBL config , inspect the log, etc.

dmds

@ronpfs

HSTS disabled, IDN Blocking disabled
HSTS disabled, IDN Blocking enabled
HSTS enabled, IDN Blocking disabled
HSTS enabled, IDN Blocking enabled

Force Update, Force Reload All, Force Cron...

and also clean pfblockerng install with default settings and Python mode enabled

all the same thing...

RonpfS

@dmds HSTS is just to see if changes are saved and processed by an Update.

Maybe it's time to post pfblockerng.log. It's in the log that you see if you settings are used to build the db.

dmds

@ronpfs
ok
clean install with enabled Python mode
I made several requests to xn--80adxhks.xn--p1ai

pfblockerng.zip
dnsbl.zip

RonpfS

This post is deleted!

RonpfS

@dmds
So after taking my time, I can confirm that Block IDN settings are saved and applied after a Force Update. However the IP is blocked by a Firewall Rules Top Spammer.

212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4

You can track the change in the files after a Force Update :
/cf/conf/config.xml : <pfb_idn></pfb_idn>
/var/unbound/pfb_unbound.ini : python_idn = off

Also don't rely on Chrome to see if the domain is redirected to the VIP, Chrome acts funny and brings back the pfBlockerNG DNSBL block page. Use the DNS Resolver tab.

Well it's really weird. Now it's blocked again.
In DNS Lookup tab beware that DNS Resolver tab returns 212.11.152.122 XN--80ADXHKS.XN--P1AI but return VIP with xn--80adxhks.xn--p1ai. FireFox convert both to non caps.

RonpfS

@dmds

[2.4.5-RELEASE][2020-12-23 3:01:52][admin@]/root: nslookup xn--80adxhks.xn--p1ai
;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer:               127.0.0.1
Address:        127.0.0.1#53

Name:   xn--80adxhks.xn--p1ai
Address: 10.10.10.1
** server can't find xn--80adxhks.xn--p1ai: SERVFAIL

[2.4.5-RELEASE][2020-12-23 3:02:56][admin@]/root: nslookup XN--80ADXHKS.XN--P1AI
;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer:               127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   xn--80adxhks.xn--p1ai
Address: 212.11.152.117
Name:   xn--80adxhks.xn--p1ai
Address: 212.11.152.122
** server can't find xn--80adxhks.xn--p1ai: SERVFAIL

dmds

@ronpfs said in Disable IDN Blocking:

...However the IP is blocked by a Firewall Rules Top Spammer.

212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4

I don't have this rule enabled

I disabled all groups and left only one with a single address google.com

any IDN is blocked...

dmds

and blocked google.com gives another output

BBcan177

@dmds
Thanks for reporting, will get this fixed in the next version.

For now, you can edit this file:
/var/unbound/pfb_unbound.py

And change Line #1007

Ref:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/var/unbound/pfb_unbound.py#L1007

From:

if not isFound and pfb['python_idn'] and q_name.startswith('xn--') or '.xn--' in q_name:

To:

if not isFound and pfb['python_idn'] and (q_name.startswith('xn--') or '.xn--' in q_name):

It was missing brackets "( .. )" around the last condition

Follow that with a restart of Unbound.

dmds

@bbcan177
Thanks! Everything is working.