pfBlockerNG DNSBL list blocking apple even with Top1M enabled
-
I setup a pretty aggressive set of lists and it looks like one of them for malware is blocking all apple.com and live.com.
I enabled the Top1M with the Alexa and with the Cisco, making sure to do a force reload all in between but still see captive.apple.com and login.live.com being blocked by Kowabit (DNSBL_Malicious2). I unpacked the Cisco Top1M and can confirm that apple.com and live.com are on the whitelist.
Any thoughts on why the block lists would override the whitelist?
pfsense - 22.05
- list itempfBlockerNG-devel 3.1.0_7 after changing from the non-devel
- python module enabled
-
@cyrus104 You did not mention what specifically is not work working. Apple uses many FDQNs, so whitelisting *.apple.com will cover most Apple services, but only ones that use that domain. Don't forget about icloud.com and any other domains that they also use.
Additionally, you might check and make sure that your IP lists aren't blocking traffic to 17...* which is Apple's class A IP range.
Checking the logs will be your best bet of find out which of your lists triggered the block.
-
@cloudified Thanks for the response, to be clear I did mention what in 2 levels of details what isn't working my first line says ALL apple.com and the next line says specifically captive.apple.com.
I also specify already that Kowabit from DNSBL_Malicious2 is the list triggering the block.
In order to try and troubleshoot, I also enabled the Top1M whitelist and even verified that apple.com is in it which is a mask for all apple.com.
-
@cyrus104 said in pfBlockerNG DNSBL list blocking apple even with Top1M enabled:
@cloudified Thanks for the response, to be clear I did mention what in 2 levels of details what isn't working my first line says ALL apple.com and the next line says specifically captive.apple.com.
I also specify already that Kowabit from DNSBL_Malicious2 is the list triggering the block.
In order to try and troubleshoot, I also enabled the Top1M whitelist and even verified that apple.com is in it which is a mask for all apple.com.
What I meant was you did not say what was broken or not working from an end-user perspective. Apple uses many other domains and FQDNs so only whitelisting apple.com is not going to make everything pass if some of other FQDNs are on a block list. Plus many of Apple's FQDNs are just CNAMES to 3rd-party companies that may also be on one of your block lists. Whitelisting apple.com isn't going to help you in that scenario.
Please be specific on what is broken so we can try and help you. This is excepted behavior with very aggressive blocking. Tuning may have to part of your daily routine. Trust me - I do the same thing.
-
@cyrus104 All apple.com? I wouldn't use a list that was so 'aggressive' that it blocks Apple and live.com. Not worth messing with IMO, having to band-aid it to make it work properly... For the occasional OOPS- yea there's the DNSBL WHITELIST, but for large issues I just use another feed. Too 'aggressive' to me is really a lot of false positives, followed by a lot of chasing fixes.
