Block requests for "undefined"

timtrace

Greetings, how can I block requests at the firewall for https://undefined/tagmgmt/bs.js?

This is part of the PayPal login process and reliably hangs in my environment. The symptom is a spinning blue circle in the browser after the PP creds are entered, and before the 2FA page appears. When the request times out, which takes more than a minute, the 2FA page appears, and life is good. Frustrating.

I found a random discussion that said someone fixed it by adding "127.0.0.1 undefined" to their hosts file. I tried it, and it worked.

But I want something that fixes it all at once for all the clients behind my pf. How can I do that?

Thank you --

johnpoz

@timtrace why would you think pfsense would have anything or could even do anything about some client on your network trying to resolve something that is never going to resolve..

undefined

That is not a fqdn - that can never resolve.. If you have some client asking for nonsense - you going to have to fix it at the client.

I would suggest you get with paypal, on why something might like that happen.. While not a huge paypal user, I do have the app on my phone - and its not asking for undefined.. And just logged in via web page and not doing it either.

timtrace

@johnpoz - such a quick response - do you ever sleep? :) You're right, of course, now that I think about it. It's the client saying "no" to "undefined." The non-appearance of the request in the pf logs backs this up.

Conversationally - I wonder if a Squid proxy could blackhole the request. I don't know the browser and system architecture well enough to say if the browser would forward the request to the proxy before attempting to locally resolve it. I say, "conversationally," because it's not that important for me to spend the time labbing it out :)

timtrace

@johnpoz said in Block requests for "undefined":

I would suggest you get with paypal, on why something might like that happen.. While not a huge paypal user, I do have the app on my phone - and its not asking for undefined.. And just logged in via web page and not doing it either.

It's a fair suggestion to get with PayPal, but I feel like it would be a huge time sink.

My phone is iOS, computer is MacOS. Most of the clients behind my pf are iOS or iPadOS. I have a Win11 system that doesn't seem to have the problem. Maybe it's related to the way Apple OSs are handling "undefined."

johnpoz

@timtrace said in Block requests for "undefined":

Maybe it's related to the way Apple OSs are handling "undefined."

Doesn't do it on my iphone..

Asking for a host name of any dns - would result in an SOA answer and should be only a few ms..

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;undefined.                     IN      A

;; AUTHORITY SECTION:
.                       1779    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023091200 1800 900 604800 86400

;; Query time: 11 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Sep 12 08:39:44 Central Daylight Time 2023
;; MSG SIZE  rcvd: 113

johnpoz

@timtrace ok - here you go, I sniffed all dns traffic from my iphone, and opening with paypal app, that I had forced closed before I do not see any such query.

But then I opened up paypal with just safari, and did see such a query - but as you can see as I said before such a query would be answered very quickly with either soa, or nx..

Even when the client did query for my search suffix, gets a nx right away.. Are you using some public domain as your local domain? And search suffix your using on your client is resolving to something that is causing your delay?

My local domain is local.lan which is why you can see a search for some host with a domain on it, etc.

I would suggest you do like what I did and see where any such delay is coming from - if your getting a query for undefined.yourdomain.tld that is taking a long time to resolve - or posts to something wrong because of the domain your using, you could block that fqdn so that it returns NX right away, etc..

timtrace

@johnpoz said in Block requests for "undefined":

@timtrace ok - here you go, I sniffed all dns traffic from my iphone, and opening with paypal app, that I had forced closed before I do not see any such query.

Ahhhhh. Indeed, I use a publicly resolvable domain inside my network. It's a split DNS architecture with pf serving the internal zone and NameCheap serving the external.

.... so I added an internal "A" record for "undefined.mydomain.com" @ 10.10.10.10 and ... boom, it worked. That's my pfBlockerNG DNSBL web server.

That was some spot-on help, man. Thank you so much!

johnpoz

@timtrace I am personally not a fan of doing such a thing for this very sort of problem. If you have domain.com out on the internet, that is great.. I wouldn't use that locally. Use something like local.domain.com, or domain.home.arpa internally..

home.arpa is the new "approved" domain to use locally via rfc..

https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'

timtrace

@johnpoz said in Block requests for "undefined":

home.arpa is the new "approved" domain to use locally via rfc.

I'm tempted. :)

johnpoz

@timtrace I am in a very "slow" process of moving too it - but I have quite a few local certs that I have issued via my CA, and as they come up on expire (I had set then for 10 years) before the browsers started balking at such long certs..

And I have just not yet got motivated enough to change them all at once ;)

My unifi controller now uses the new home.arpa, and so does my nas, etc. But at some point here I will be fully home.arpa - but for now using a mixed bag ;)

$ dig nas.home.arpa +short
192.168.9.10

$ dig newuc.home.arpa +short
192.168.2.12