Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable IDN Blocking

    Scheduled Pinned Locked Moved pfBlockerNG
    17 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmds
      last edited by

      can't turn off IDN blocking.
      option is unchecked.


      4961f161-8b38-439c-a51d-c82d5f6535f9-изображение.png
      49f9d6d5-3c5e-489a-a403-32c1b2007dc3-изображение.png

      BBcan177B 1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator @dmds
        last edited by

        @dmds
        Which version are you using? That is an old block page?
        Update to the latest v3.0.0_7 and see how that goes.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        D 1 Reply Last reply Reply Quote 0
        • D
          dmds @BBcan177
          last edited by

          @bbcan177
          I tried 3.0.0_3 - 3.0.0_7

          1 Reply Last reply Reply Quote 0
          • D
            dmds
            last edited by dmds

            if i disable all DNSBL groups in the settings, then IDNs are not blocked.
            if i enable at least one group even with one address (not IDN), then all IDNs are blocked

            and the problem is with python mode only

            RonpfSR 1 Reply Last reply Reply Quote 0
            • RonpfSR
              RonpfS @dmds
              last edited by RonpfS

              @dmds
              Try F5, or CTRL-F5 to refresh the tab.

              Try with another browser.

              Save DNSBL Settings, then change another setting like HSTS mode, Save DNSBL Settings, put back HSTS, Save DNSBL Settings, Force Update, Force Reload All.

              Do you see any changes in the IDN Blocking setting during those manipulations ?

              D 1 Reply Last reply Reply Quote 0
              • D
                dmds @RonpfS
                last edited by

                @ronpfs
                i tried many browsers and workstaions.
                "ipconfig /flushdns" doesn't help
                other pfsense instance have the same problem

                for example IDN - xn--80adxhks.xn--p1ai
                it resolves to the address 172.16.172.15

                b6936f00-b197-4272-bcba-507df2849512-изображение.png

                linux
                7eae3980-a141-4d49-94bc-a6c953ce6714-изображение.png

                pfsense
                ac3e2e0e-eea2-4a9a-8a32-acf7dc936dde-изображение.png

                RonpfSR 1 Reply Last reply Reply Quote 0
                • RonpfSR
                  RonpfS @dmds
                  last edited by RonpfS

                  @dmds F5, or CTRL-F5 to refresh the pfBlockerNG / DNSBL tab.

                  Once you tested changing HSTS settings, can you change IDN Blocking, Save DNSBL setting, Force Update, Force Reload All, invert IDN Blocking , Save, Force Update , Force Reload All.

                  The problem is in pfblockerNG, so work on pfBlockerNG DNSBL config , inspect the log, etc.

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    dmds @RonpfS
                    last edited by

                    @ronpfs

                    HSTS disabled, IDN Blocking disabled
                    HSTS disabled, IDN Blocking enabled
                    HSTS enabled, IDN Blocking disabled
                    HSTS enabled, IDN Blocking enabled

                    Force Update, Force Reload All, Force Cron...

                    and also clean pfblockerng install with default settings and Python mode enabled

                    all the same thing...

                    RonpfSR 1 Reply Last reply Reply Quote 0
                    • RonpfSR
                      RonpfS @dmds
                      last edited by RonpfS

                      @dmds HSTS is just to see if changes are saved and processed by an Update.

                      Maybe it's time to post pfblockerng.log. It's in the log that you see if you settings are used to build the db.

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        dmds @RonpfS
                        last edited by

                        @ronpfs
                        ok
                        clean install with enabled Python mode
                        I made several requests to xn--80adxhks.xn--p1ai

                        pfblockerng.zip
                        dnsbl.zip

                        RonpfSR 3 Replies Last reply Reply Quote 0
                        • RonpfSR
                          RonpfS @dmds
                          last edited by RonpfS

                          This post is deleted!
                          1 Reply Last reply Reply Quote 1
                          • RonpfSR
                            RonpfS @dmds
                            last edited by RonpfS

                            @dmds
                            So after taking my time, I can confirm that Block IDN settings are saved and applied after a Force Update. However the IP is blocked by a Firewall Rules Top Spammer.

                            212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4

                            You can track the change in the files after a Force Update :
                            /cf/conf/config.xml : <pfb_idn></pfb_idn>
                            /var/unbound/pfb_unbound.ini : python_idn = off

                            Also don't rely on Chrome to see if the domain is redirected to the VIP, Chrome acts funny and brings back the pfBlockerNG DNSBL block page. Use the DNS Resolver tab.

                            Well it's really weird. Now it's blocked again.
                            In DNS Lookup tab beware that DNS Resolver tab returns 212.11.152.122 XN--80ADXHKS.XN--P1AI but return VIP with xn--80adxhks.xn--p1ai. FireFox convert both to non caps.

                            D 1 Reply Last reply Reply Quote 0
                            • RonpfSR
                              RonpfS @dmds
                              last edited by RonpfS

                              @dmds

                              [2.4.5-RELEASE][2020-12-23 3:01:52][admin@]/root: nslookup xn--80adxhks.xn--p1ai
                              ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer:               127.0.0.1
                              Address:        127.0.0.1#53
                              
                              Name:   xn--80adxhks.xn--p1ai
                              Address: 10.10.10.1
                              ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
                              
                              [2.4.5-RELEASE][2020-12-23 3:02:56][admin@]/root: nslookup XN--80ADXHKS.XN--P1AI
                              ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer:               127.0.0.1
                              Address:        127.0.0.1#53
                              
                              Non-authoritative answer:
                              Name:   xn--80adxhks.xn--p1ai
                              Address: 212.11.152.117
                              Name:   xn--80adxhks.xn--p1ai
                              Address: 212.11.152.122
                              ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
                              
                              
                              1 Reply Last reply Reply Quote 0
                              • D
                                dmds @RonpfS
                                last edited by dmds

                                @ronpfs said in Disable IDN Blocking:

                                ...However the IP is blocked by a Firewall Rules Top Spammer.

                                212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4

                                I don't have this rule enabled

                                I disabled all groups and left only one with a single address google.com

                                223396bd-1c10-4697-b701-03e2fc635e63-изображение.png

                                any IDN is blocked...

                                57ed1f69-71eb-4bc5-a72e-1fb36cf5215f-изображение.png

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dmds
                                  last edited by

                                  and blocked google.com gives another output
                                  f52ab8c7-f3b5-49b0-a81a-25ec02940ce9-изображение.png

                                  BBcan177B 1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator @dmds
                                    last edited by BBcan177

                                    @dmds
                                    Thanks for reporting, will get this fixed in the next version.

                                    For now, you can edit this file:
                                    /var/unbound/pfb_unbound.py

                                    And change Line #1007

                                    Ref:
                                    https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/var/unbound/pfb_unbound.py#L1007

                                    From:

                                    if not isFound and pfb['python_idn'] and q_name.startswith('xn--') or '.xn--' in q_name:
                                    

                                    To:

                                    if not isFound and pfb['python_idn'] and (q_name.startswith('xn--') or '.xn--' in q_name):
                                    

                                    It was missing brackets "( .. )" around the last condition

                                    Follow that with a restart of Unbound.

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    D 1 Reply Last reply Reply Quote 3
                                    • D
                                      dmds @BBcan177
                                      last edited by

                                      @bbcan177
                                      Thanks! Everything is working.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.