DNSBL whitelist & subdomains of edgekey.net

timtrace

Greetings - if .apple.com.edgekey.net is in the DNSBL whitelist, is it expected to overcome a feed that blocks edgekey.net ?

My iOS devices are having trouble with software updates and iTunes. It could be caused by the Phishing_Army feed which has a block against edgekey.net.

I installed .apple.com.edgekey.net into the DNSBL whitelist and reloaded. I'm still getting blocks in /var/log/pfblockerng/dnsbl.log similar to what's been quoted below. Why is this happening, please? Thank you!

DNSBL-HTTPS,,gspe11-ssl.ls.apple.com.edgekey.net,192.168.200.139,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,+
DNSBL-HTTPS,,gspe11-ssl.ls.apple.com.edgekey.net,192.168.200.139,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,-
DNSBL-HTTPS,,gspe11-ssl.ls.apple.com.edgekey.net,192.168.200.62,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,+
DNSBL-HTTPS,,gspe11-ssl.ls.apple.com.edgekey.net,192.168.200.62,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,-
DNSBL-HTTPS,,inappcheck.itunes.apple.com.edgekey.net,192.168.200.62,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,+
DNSBL-HTTPS,,inappcheck.itunes.apple.com.edgekey.net,192.168.200.62,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,-
DNSBL-HTTPS,,radio.itunes.apple.com.edgekey.net,192.168.200.62,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,+
DNSBL-HTTPS,,radio.itunes.apple.com.edgekey.net,192.168.200.62,Unknown,TLD-CNAME,DNSBL_Firebog_Malicious,edgekey.net,Phishing_Army,-
 *(date/time column removed for the purpos of sorting)*

Gertjan

@timtrace said in DNSBL whitelist & subdomains of edgekey.net:

It could be caused by the Phishing_Army feed which has a block against edgekey.net.

Which one exactly ?

This :

Check the content of the file.
You'll find it here : /var/db/pfblockerng/dnsbl/PhishingArmy.txt

I found this :

,www-key-com.test.edgekey.net,,0,PhishingArmy,DNSBL_Compilation

That's not "edgekey.net" but "www-key-com.test.edgekey.net"

timtrace

@gertjan Thanks - I appreciate your help.

https://phishing.army/download/phishing_army_blocklist_extended.txt -- that's the Phishing_Army list that's showing up in the DNSBL log.

In the phishing_army26OCT2021101209UTC.txt version of the list, it has ..

• edgekey.net on line 8,328
• www-key-com.test.edgekey.net on line 38,876

--note that anything to do with apple.com.edgekey.net is not present in the list.

After a reload with ".edgekey.net" in the DNSBL whitelist, all references to edgekey.net are gone from the list -- phishing_army-postprocess.txt . The DNSBL log displays no more entries for the domains shown in the OP. The DNSBL whitelist entry was effective at removing the both root domain and the subdomain.

It feels correct to say that a DNSBL whitelist entry with subdomains does not whitelist every parent domain in the string. IE, ".apple.com.edgekey.net" does not remove "edgekey.net" and "com.edgekey.net" and "apple.com.edgekey.net" ad naseum. I suppose that if ".apple.com.edgekey.net" is not defined in the source list it can't be removed, and besides, the whitelisting of every parent domain in a string would lead to ..... well, it's leading me to another question.

>>> If I have a list that includes only "edgekey.net" ... and I must whitelist ".apple.com.edgekey.net" ... and I have to whitelist ".edgekey.net" to make it work --- how do I avoid the collateral whitelisting of every other subdomain under "edgekey.net"?

Thank you again --