Disable IDN Blocking
can't turn off IDN blocking.
option is unchecked.
Which version are you using? That is an old block page?
Update to the latest v3.0.0_7 and see how that goes.
I tried 3.0.0_3 - 3.0.0_7
if i disable all DNSBL groups in the settings, then IDNs are not blocked.
if i enable at least one group even with one address (not IDN), then all IDNs are blocked
and the problem is with python mode only
Try F5, or CTRL-F5 to refresh the tab.
Try with another browser.
Save DNSBL Settings, then change another setting like HSTS mode, Save DNSBL Settings, put back HSTS, Save DNSBL Settings, Force Update, Force Reload All.
Do you see any changes in the IDN Blocking setting during those manipulations ?
i tried many browsers and workstaions.
"ipconfig /flushdns" doesn't help
other pfsense instance have the same problem
for example IDN - xn--80adxhks.xn--p1ai
it resolves to the address 172.16.172.15
@dmds F5, or CTRL-F5 to refresh the pfBlockerNG / DNSBL tab.
Once you tested changing HSTS settings, can you change IDN Blocking, Save DNSBL setting, Force Update, Force Reload All, invert IDN Blocking , Save, Force Update , Force Reload All.
The problem is in pfblockerNG, so work on pfBlockerNG DNSBL config , inspect the log, etc.
HSTS disabled, IDN Blocking disabled
HSTS disabled, IDN Blocking enabled
HSTS enabled, IDN Blocking disabled
HSTS enabled, IDN Blocking enabled
Force Update, Force Reload All, Force Cron...
and also clean pfblockerng install with default settings and Python mode enabled
all the same thing...
@dmds HSTS is just to see if changes are saved and processed by an Update.
Maybe it's time to post pfblockerng.log. It's in the log that you see if you settings are used to build the db.
This post is deleted!
So after taking my time, I can confirm that Block IDN settings are saved and applied after a Force Update. However the IP is blocked by a Firewall Rules Top Spammer.
126.96.36.199: RU AS8901 pfB_Top_v4 RU_v4
You can track the change in the files after a Force Update :
/cf/conf/config.xml : <pfb_idn></pfb_idn>
/var/unbound/pfb_unbound.ini : python_idn = off
Also don't rely on Chrome to see if the domain is redirected to the VIP, Chrome acts funny and brings back the pfBlockerNG DNSBL block page. Use the DNS Resolver tab.
Well it's really weird. Now it's blocked again.
In DNS Lookup tab beware that DNS Resolver tab returns 188.8.131.52 XN--80ADXHKS.XN--P1AI but return VIP with xn--80adxhks.xn--p1ai. FireFox convert both to non caps.
[2.4.5-RELEASE][2020-12-23 3:01:52][admin@]/root: nslookup xn--80adxhks.xn--p1ai ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer: 127.0.0.1 Address: 127.0.0.1#53 Name: xn--80adxhks.xn--p1ai Address: 10.10.10.1 ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL [2.4.5-RELEASE][2020-12-23 3:02:56][admin@]/root: nslookup XN--80ADXHKS.XN--P1AI ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: xn--80adxhks.xn--p1ai Address: 184.108.40.206 Name: xn--80adxhks.xn--p1ai Address: 220.127.116.11 ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
and blocked google.com gives another output
Thanks for reporting, will get this fixed in the next version.
For now, you can edit this file:
And change Line #1007
if not isFound and pfb['python_idn'] and q_name.startswith('xn--') or '.xn--' in q_name:
if not isFound and pfb['python_idn'] and (q_name.startswith('xn--') or '.xn--' in q_name):
It was missing brackets "( .. )" around the last condition
Follow that with a restart of Unbound.
Thanks! Everything is working.