Rejected DNS requests not forwarded to default "blocked" page
-
PfblockerNG installed and is successfully blocking blacklisted targets. The problem is that the redirect to the blocked webpage doesn't happen.
Factors confirmed:- DNS Resolver enabled and working
- DHCP configuration configures firewall gateway as DNS server (DNS resolution at client otherwise works fine)
- DNSBL configured as recommended
- PFblockerNG successfully blocking blacklisted sites (confirmed by firewall logs)
- Virtual IP and DNSBL web server confirmed working (Submission of request from client browser to 10.10.10.1 returns default blocked webpage)
Upon issuing a request for a blacklisted site, the browser just displays the default "This site can't be reached" with no redirect to the DNSBL block page. What have I missed?
-
Problem solved - evidently DNSBL creates a DNS mapping that overrides the domain name resolution of some of the blacklisted domains. Found under Firewall -> pfBlockerNG -> Log Browser -> DNSBL -> Log/File Selection. Attempting to resolve any of the blacklisted domains redirects to DNSBL's virtual IP and displays the "This website has been blocked" page.
local-data: "cartstick.com 60 IN A 10.10.10.1"
However, there are LOTS of IP addresses and corresponding domain names that aren't mapped to the DNSBL virtual IP so although they still get blocked, there is no redirection to the block page.
-
for the details listed.
There is just one thing that's missing : this page
won't show because your browser won't let you see it - if it was asking for a https:// site (or forced to go to https after a http hit first). If the site is listed as https only - or known to be SHTS, your browsre won't even try the http version.
And you actually don't want to see that "block page" in that case, because if you saw it, it will tell you alsothat https is broken which means that any https couldn't be trusted anymore.
And that's not what you - me - everybody wants.If you want to visit a https site, let's take one : microsoft.com but you have blacklisted microsoft.com, the browser will receive a certificate and it will inspect it.
It will find the self signed (= bad) from the pfBlockerNG block page that does not (can not) give the details that states its from .microsoft.com. Because pfBlokcerNG, neither you, can have a cert that says that it is ".microsoft.com".
Don't believe me, try to get one ^^ You could even try to "cripple" your browser but I guess these days are over. It's a no go now.
For short : you have to be owner of the domain name first. Be the owner of every domain name you block.So, your pfBlokcerNG 10.10.10.1 web server has not a cert in store that says : "hey, I'm microsoft.com', because that's impossible. All the "https" security is based on this detail.
So, yes, you get it : that black pfBlockerNG page that states : "the domain (hostname) you wanted to visit is blocked" isn't shown very often. It could/should still work for site that are http AND https capable. But the automatic redirection from http to https is very widespread now. http (port 80) will die very soon now. The Google bots won't even use them anymore, and that for the last two (more ?) years.
-
Thanks for the detailed explanation on this. It's shame (from a purely user perspective) as some kind of error page with details would help you easily narrow down errors by providing information as to....
Is it actually PFB that is blocking this or something else?
If it is PFB, then which exact list is blocking it? -
@occamsrazor said in Rejected DNS requests not forwarded to default "blocked" page:
Is it actually PFB that is blocking this or something else?
If it is PFB, then which exact list is blocking it?PFB has very detailed "Report" pages.
They are meant to show you info like this. These pages should be the ones you're looking at - all the time. -
@gertjan said in [Rejected DNS requests not forwarded to default
PFB has very detailed "Report" pages.
They are meant to show you info like this. These pages should be the ones you're looking at - all the time.Yes that's true and I know the info should be there, but sometimes it takes some digging. Sometimes on my client machine I get a website that doesn't work and I'm always wondering if it's PFB that has blocked it, Suricata, or some other problem (site down, DNS problem, etc). Having a redirect/error page in the browser with the PFB blocking info would let me know this immediately, rather than having to log on to pfSense, look at the PFB reports, etc.
I should add this is in a home setting.... -
That's something that never happened to me : visiting a site that made it to some DNSBL list.
What happens all the time : rather known regular site that include links to spam-suppliers == adds. The adds are stripped ....You are probably aware that you do not visit plain http site anymore. Bing, Google etc won't index them anymore. Its pretty game over for non https sites.
And https (TLS) can't be redirected. That's whats protect you also : you see the domain of your bank : you know it's your bank. So, MITM was something of the past.Suricata
can inspect data that it sees. TLS traffic, which should be all your traffic, can't be seen by Suricata. What is your Suricata inspecting ?
website that doesn't work ....
Dump the domaine name in https://zonemaster.net/domain_check if you have doubts.
Web master that don't have their DNS set up correctly won't be there for long time anyway.I'm using a rather small number of feeds for DNSBL and IP. PFB is a nice tool, I don't want it to bother me.
-
@gertjan
Is it possible to redirect blacklisted domains to a chose website ? (So, other than the internal 10.10.10.1 from pfblockerNG/pfsense appliance)
Before, I used adguardHome which redirected every BL to a pixelserv-tls website. And it worked well, I'd like to reproduce this setup.