DNSBL not blocking URL

oever · Sep 5, 2023, 4:38 PM

I'm using pfBlockerNG Devel on pfSense 2.7.0. Works like a charm. But I have one issue.

mesqwrte.net is in a blocklist; TLD is active

TIf I type mesqwrte.net in a browser: blocked as expected.
If I type mesqwrte.net/favicon.ico : not blocked.

Am I missing something or is this a bug?

johnpoz · Sep 5, 2023, 4:43 PM

If I type mesqwrte.net/favicon.ico : not blocked.

pfblocker doesn't work on url, it is dns based.. to load up domain.tld/whatever you would have to be able to resolve domain.tld - but pfblocker would block that.. So if your saying domain.tld/something loaded - its loaded from your browser cache.

oever · Sep 5, 2023, 5:04 PM

Sounds plausible, BUT. I expect the URL to be parsed into host plus "extra", where host contains the domain.TLD. Otherwise DNSBL wouldn't block any URL, ever. Correct?

As for your remark on my browsr cache: OOPS. However, after emptying the cache: still no luck. With anoteher browser altogether: no luck. So I'm puzzled.

johnpoz · Sep 5, 2023, 5:48 PM

@oever said in DNSBL not blocking URL:

wouldn't block any URL, ever. Correct?

again its dns based.. domain.tld/whatever/otherthing/something makes no differenct.. hard to load domain.tld/something if domain.tld never resolves to actual IP that serves domain.tld

This is blocked on my system with pihole

;; QUESTION SECTION:
;mesqwrte.net.                  IN      A

;; ANSWER SECTION:
mesqwrte.net.           2       IN      A       0.0.0.0

See how its resolving to 0.0.0.0, so it would be impossible to load up mesqwrte.net/anything no matter what that anything is.. Since its not possible to get to mesqwrte.net

If pfblocker is blocking then it would not be possible to load up favicon from there.. If your pointing that domain to say the pfblocker block IP, 10.10.10.10 or something - then you could load the favicon from that blocked site hosted by pfblocker.

if you do a dig, or nslookup or host - your fav dns tool, or look in the firefox dns about:networking#dns

What does the IP point too - if its pointing to some site for dnslblocker in pfblocker like 10.10.10.10, some vip on pfsense - then sure the favicon would be loaded from there and not the actual website favicon

oever · Sep 5, 2023, 5:56 PM

@johnpoz said in DNSBL not blocking URL:

?

You're correct. 10.10.10.1/favicon.ico gives me the same result. Never thought oif that. Tnaks for enlightening me - now I can sleep agin . So much for assumptions - I thought I'd always see a block-message. Thanks again!

johnpoz · Sep 5, 2023, 6:02 PM

@oever pfblocker vs just blocking by resolving to say 0.0.0.0 likes to point to a block page - that says hey this site is blocked. But if your looking for something specific loaded off that IP, 10.10.10.10 I think is default vip that is used.. But I think at some point there was recommendation to use something different.. Anywho - yeah block page is just hosted on pfsense off whatever the IP you use (vip on pfsense) to serve up the page to tell you hey that site is blocked.

But if you try and load some specific resource off that httpd, like favicon.ico then sure yeah that could be loaded.

Glad I could help you get some sleep ;)