pfBlockerNG Reports DNSBL Block HTTPS empty

focheur91300 · Aug 18, 2021, 10:00 AM

Hello,

I am currently experiencing a problem with pfBlockerNG.

pfBlockerNG does DNSBL blocking.

However, all HTTPS connections from DNS/FQDN are not displayed in the reports section.

Example below:

I go to the following site : https://korben.info/

This one displays the following page :

This is not displayed in the report tab of pfBlockerNG :

I know it works because when I type the command nslookup, I get the following result:

Additional information:

pfSense version 2.5.2
pfBlockerNG-devel version 3.0.0_16

Thank you to the community in advance.

Gertjan · Aug 18, 2021, 11:37 AM

@focheur91300 said in pfBlockerNG Reports DNSBL Block HTTPS empty:

This one displays the following page :

It displays also the URL it tries to visit. Where is it ?
I bet it isn't "korben.info" but "10.10.11.1".

Ask yourself this one question : does this "10.10.11.1" has a certifcate that states it "korben.info" ? I add a cleu : Who is the admin of 10.10.11.1 (answer : you) so ask yourself : did you add it ? (Can you even get it ?? ;) )
Of course not That's what TLS https is all about.

Or, the connection is "https" and the web browser wants and insists on retrieving a certificate that says the visited site 10.10.11.1 is "korben.info".
It isn't. An dthat why the message is shown.

So, this small question gives you an important answer : do not use, as it is useless, the build in "pfBlockerNG web server that shows blocked DNSBL in your browser".
It won't work for TLS (https) sites.

So, keep on logging, but don't use "DNSBL webserver" any more, as users start to think something is wrong. Which is not the case.

And it common knowledge that 99,9 % of all web traffic is TLS (https) traffic.

focheur91300 · Aug 18, 2021, 1:58 PM

Hello @gertjan,

Thank you for the quick and clear answer.

However, I can't find the option you mention:

Thank you.

Gertjan · Aug 18, 2021, 1:58 PM

@focheur91300

Humm. Can't tell.

For each DNSBL 'feed', you can choose :

focheur91300 · Aug 18, 2021, 2:15 PM

@gertjan
Thank for informations.

I have no entry in the report tab of the site.

keyser · Aug 18, 2021, 8:42 PM

@focheur91300 That’s because you are running pfBlockerNG in “Unbound Mode”. To have the Global null (Logging) option, you need to run pfBlockerNG in “Unbound Python Mode”.

But beware - there are issues with sustained diskwrites in this mode - regardless of you electing to not log anything.

This will be a serious issue if your pfSense box only has a 8Gb eMMC - that will burn through it’s lifetime writes in a year or two.

If you have a large SSD (128Gb or more) or a HDD it’s of no real consequence.

focheur91300 · Aug 18, 2021, 9:16 PM

@keyser
Thanks again for the information.

Could you send me a capture of your configuration with Unbound Python Mode.

Thanks in advance.

keyser · Aug 18, 2021, 9:31 PM

@focheur91300 Unfortunately I can’t. I’m on a SG-2100 with a 8Gb eMMC that would be worn out in a year by using python mode, so I’m using Unbound Mode like you.

But there are several posts here on how to configure python mode, and it’s very easy.