Disable IDN Blocking
-
HSTS disabled, IDN Blocking disabled
HSTS disabled, IDN Blocking enabled
HSTS enabled, IDN Blocking disabled
HSTS enabled, IDN Blocking enabledForce Update, Force Reload All, Force Cron...
and also clean pfblockerng install with default settings and Python mode enabled
all the same thing...
-
@dmds HSTS is just to see if changes are saved and processed by an Update.
Maybe it's time to post pfblockerng.log. It's in the log that you see if you settings are used to build the db.
-
@ronpfs
ok
clean install with enabled Python mode
I made several requests to xn--80adxhks.xn--p1ai -
This post is deleted! -
@dmds
So after taking my time, I can confirm that Block IDN settings are saved and applied after a Force Update. However the IP is blocked by a Firewall Rules Top Spammer.212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4
You can track the change in the files after a Force Update :
/cf/conf/config.xml : <pfb_idn></pfb_idn>
/var/unbound/pfb_unbound.ini : python_idn = offAlso don't rely on Chrome to see if the domain is redirected to the VIP, Chrome acts funny and brings back the pfBlockerNG DNSBL block page. Use the DNS Resolver tab.
Well it's really weird. Now it's blocked again.
In DNS Lookup tab beware that DNS Resolver tab returns 212.11.152.122 XN--80ADXHKS.XN--P1AI but return VIP with xn--80adxhks.xn--p1ai. FireFox convert both to non caps. -
[2.4.5-RELEASE][2020-12-23 3:01:52][admin@]/root: nslookup xn--80adxhks.xn--p1ai ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer: 127.0.0.1 Address: 127.0.0.1#53 Name: xn--80adxhks.xn--p1ai Address: 10.10.10.1 ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL [2.4.5-RELEASE][2020-12-23 3:02:56][admin@]/root: nslookup XN--80ADXHKS.XN--P1AI ;; Warning: cannot represent 'xn--80adxhks.xn--p1ai' in the current localeServer: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: xn--80adxhks.xn--p1ai Address: 212.11.152.117 Name: xn--80adxhks.xn--p1ai Address: 212.11.152.122 ** server can't find xn--80adxhks.xn--p1ai: SERVFAIL
-
@ronpfs said in Disable IDN Blocking:
...However the IP is blocked by a Firewall Rules Top Spammer.
212.11.152.122: RU AS8901 pfB_Top_v4 RU_v4
I don't have this rule enabled
I disabled all groups and left only one with a single address google.com
any IDN is blocked...
-
and blocked google.com gives another output
-
@dmds
Thanks for reporting, will get this fixed in the next version.For now, you can edit this file:
/var/unbound/pfb_unbound.pyAnd change Line #1007
Ref:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/var/unbound/pfb_unbound.py#L1007From:
if not isFound and pfb['python_idn'] and q_name.startswith('xn--') or '.xn--' in q_name:
To:
if not isFound and pfb['python_idn'] and (q_name.startswith('xn--') or '.xn--' in q_name):
It was missing brackets "( .. )" around the last condition
Follow that with a restart of Unbound.
-
@bbcan177
Thanks! Everything is working.