New SafeSearch feature borked

wolfsden3

Re: New pfBlockerNG feature - SafeSearch

This feature is causing problems only recently and I'm not sure how to fix it. The errors make no sense. If you want to "enable" this feature why would "disable" actually enable the feature...? Is that correct? That makes no sense at all if that is how you're reading it.

I'm getting these errors, it won't look up the IP address of white listed hosts.

TLD Whitelist - Missing data | cottonsacehardware.com | No IP found! |

TLD Whitelist - Missing data | forms.gle | No IP found! |
Blocking full TLD/Sub-Domain(s)... |aaa|aarp|abarth|abb|abbott|abbvie|abc|able|abogado|abudhabi|ac|academy|accenture|accountant|accountants|aco|active|actor|ad|adac|ads|adult|ae|aeg|aero|aetna|af|afamilycompany|afl|africa|ag|agakhan|agency|ai|aig|aigo|airbus|airforce|airtel|akdn|al|alfaromeo|alibaba|alipay|allfinanz|allstate|ally|alsace|alstom|am|americanexpress|americanfamily|amex|amfam|amica|amsterdam|analytics|android|anquan|anz|ao|aol|apartments|
app(Removed due to SafeSearch conflict)apple|aq|aquarelle|ar|arab|aramco|archi|army|art|arte|as|asda|asia|associates|

...what? Removed due to safesearch?

It should be blocked regardless and never make it to safesearch! Like...if it's legit > then safe search. Otherwise, it should return nxdomain or the 10.10.10.1 block interface.

Right?

How can I fix this? This has borked the white listing process and now I have a ton of domains that are white listed but since the system can't find an IP it won't white list them. So, the domains simply don't work AND they don't show up in the reports tab either AND even if I look for them based on domain or IP they don't show up either.

Is this a bug? It's certainly not a feature and I can't seem to fix it. I have to believe others are having this problem but haven't reported it. The only reason I knew was because email stopped working to a .cloud domain.

HELP!

RonpfS

@wolfsden3 I can not understand what you are describing.

Click on the infoblocks in the DNSBL tab to get the proper syntax,restrictions,etc.

wolfsden3

Weird, why can't you understand what I'm saying? Also...there's no "syntax" to be input here. These are the settings:

There are no info blocks LOL.

So...after you set things up for SafeSearch in that manner to block it in FireFox > you force reload under the "Update" tab > you get the errors I posted. It can't find white listed TLD's and has "SafeSearch" conflict errors.

Except that...if you block a TLD it shouldn't ever be searched to give you a safesearch result because it should be BLOCKED. It's a banned / blocked TLD like ".cn", ".ru", etc. This has compromised security if it allows .cn IMHO.

RonpfS

@wolfsden3 said in New SafeSearch feature borked:

Blocking full TLD/Sub-Domain(s)

What about the TLD settings, Exclusions, Black Whitelist, etc

wolfsden3

What about it? This has been working perfectly until a recent update I'm sure.

Nothing wrong with those entries. SafeSearch is borked and throwing errors. We need the dev guy BBCan to fix.

RonpfS

@wolfsden3 And do you have TLD Allow Enable ticked ? Maybe not, only available with Unbound Python mode.

wolfsden3

Ah...yeah, this isn't my first rodeo LOL

In fact, if you google for "pfblockerng + TLD Whitelist - Missing data" you'll see others have had this same problem recently. There must have been a February update that borked it.

Is it not borked for you?

pfBlockerNG-devel net 3.0.0_10

RonpfS

@wolfsden3 I'm using Unbound Python mode. But few days ago I was using Unbound Mode and didn't see any issues.

And do you have anything in the TLD Blacklist ? TLD Whitelist ?

ls -al /var/unbound/*.conf

wolfsden3

@ronpfs

I'm not using python mode. I don't know why I'd care to...why have different modes? That seems to only confuse things. 1 mode = the one that works LOL.

-rw-r--r-- 1 root unbound 362 Feb 8 22:29 /var/unbound/access_lists.conf
-rw-r--r-- 1 root unbound 0 Feb 14 17:48 /var/unbound/dhcpleases_entries.conf
-rw-r--r-- 1 root unbound 111 Feb 8 22:29 /var/unbound/domainoverrides.conf
-rw-r--r-- 1 root admins 473 Feb 14 17:48 /var/unbound/host_entries.conf
-rw-r--r-- 1 root wheel 52207941 Feb 14 21:14 /var/unbound/pfb_dnsbl.conf
-rw-r--r-- 1 root unbound 2421 Feb 14 20:03 /var/unbound/pfb_dnsbl_lighty.conf
-rw-r--r-- 1 root unbound 300 Jul 25 2017 /var/unbound/remotecontrol.conf
-rw-r--r-- 1 unbound unbound 2272 Feb 14 21:09 /var/unbound/unbound.conf

I have content in the white list and block list. The one's in my block list like ".cn" are the one that it's complaining about. All my TLD's are being complained about. I block hundreds of TLD's like ".party" and the many many more that are out there...there are several hundred.

Thanks.

RonpfS

@wolfsden3 said in New SafeSearch feature borked:

I'm not using python mode. I don't know why I'd care to...why have different modes?

You could give it a try

wolfsden3

Yes but...if it's optional and not required to run that function why would I...?

I have 5 firewalls all sync'd to this one and borking this one could affect the entire network + VPN's, etc.

Is python mode required for that safe search feature that I can't seem to work correctly?

Again, I think this is a bug and the safe search feature is broken.

RonpfS

@wolfsden3 said in New SafeSearch feature borked:

-rw-r--r-- 1 root wheel 52207941 Feb 14 21:14 /var/unbound/pfb_dnsbl.conf
-rw-r--r-- 1 root unbound 2421 Feb 14 20:03 /var/unbound/pfb_dnsbl_lighty.conf

This is what my folder looked like before switching mode :

-rw-r--r--   1 root     unbound       2063 Feb  1 17:37 pfb_dnsbl_lighty.conf
-rw-r--r--   1 root     unbound      20596 Feb  4 19:56 pfb_dnsbl.safesearch.conf
-rw-r--r--   1 root     unbound       4377 Feb  4 19:56 pfb_dnsbl.doh.conf
-rw-r--r--   1 root     wheel    154466466 Feb  4 20:04 pfb_dnsbl.conf
-rw-r--r--   1 root     unbound       3434 Feb  4 20:18 host_entries.conf
-rw-r--r--   1 root     unbound          0 Feb  4 20:18 dhcpleases_entries.conf
-rw-r--r--   1 root     unbound          0 Feb  4 20:18 domainoverrides.conf
-rw-r--r--   1 root     unbound        176 Feb  4 20:18 access_lists.conf
-rw-r--r--   1 unbound  unbound       2124 Feb  4 20:18 unbound.conf

so unless things changed, your are missing some files pfb_*.conf.

Go over General, DNSBL, IP tabs save settings, Force Update, Force Reload All, this may sanitize your database.

wolfsden3

For giggles I went to look for that python mode option, I can't find it now.

Where is it? I'll try it. Why not.

RonpfS

@wolfsden3 Under DNSBL Tab

wolfsden3

Oh - instead of "Unbound" you do "Unbound Python Mode" - it's a drop down which is why it's not obvious.

RonpfS

@wolfsden3 And from what I understand, you will have to migrate your TLD Whitelist to DNSBL Whitelist.

Be careful, test on a test box

wolfsden3

That's irritating. I looked at it but didn't turn it on. Something broke unbound. I might take a look at this python version but it's beta so the unbound one should still work.

I emailed bbcan.

RonpfS

@wolfsden3 said in New SafeSearch feature borked:

I might take a look at this python version but it's beta

There are some pitfalls, but it has be stable for weeks.

Gertjan

@wolfsden3 said in New SafeSearch feature borked:

the one that works LOL.

What didn't work (well) using unbound, is that it reads all these files (the ones you listed) : 362 + 111 + 52.207.941 ( !!) + 2421 + 300 + 2272 == thousands of lines to be re parsed at process (re) start.
There are systems that will takes tens of seconds (minutes) to so, and during this time the system goes to 100 %and DNS isn't working.

That's why python mode was used : the python module handles the files, unbound just invokes the python "external' script to do the DNSBL business.

IMHO : the so called "python mode" will be the only one being used in the future. The mode where files are included from the main unbound.conf will be abandoned.
Give it a try ;)