Netgate SG-1000 microFirewall

Author Topic: DNSBL Certificate errors  (Read 5762 times)

0 Members and 1 Guest are viewing this topic.

Offline DarkKnyte

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
DNSBL Certificate errors
« on: February 02, 2017, 10:51:33 am »
I attempted to setup DNSBL in the PFBlockerNG package yesterday and following adding lists (provided from another post here) and activation I immediately started getting SSL CA errors in chrome on google.com. I had to disable DNSBL to stop the errors.

I find it likely that I must have missed some option or toggled a box I shouldn't have, but I can't seem to narrow down the issue.

Can someone point me in a direction if this is an obvious problem, or tell me what I need to provide to help troubleshoot?

Thanks.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +962/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNSBL Certificate errors
« Reply #1 on: February 02, 2017, 11:06:32 am »
There is no such option. Whitelist obvious false positives in the DNSBL (or stop using such broken lists).
Do NOT PM for help!

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +820/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #2 on: February 05, 2017, 12:16:32 pm »
You could edit the code and use 0.0.0.0 instead of the DNSBL VIP... but that will also negate any logging capabilities...

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L3609

/usr/local/pkg/pfblockerng/pfblockerng.inc

Change this line #3609:
Code: [Select]
$domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n";
To:
Code: [Select]
$domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";

Upcoming version will allow mixing of the DNSBL VIP and 0.0.0.0 so that the domains that are causing these erorrs, can utilize 0.0.0.0 whilst all others use the DNSBL VIP and the logging remains intact...  or if you didn't want to log the blocked alerts....

"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline bole5

  • Newbie
  • *
  • Posts: 11
  • Karma: +7/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #3 on: February 27, 2017, 07:34:12 am »
I solved this problem by adding a firewall rule on my LAN (and OpenVPN) interfaces to reject all requests destined for 127.0.0.1 port 8443. This way I don't get to see the annoying message about certificate for https based blocked sites.

The benefit of my solution is that it requires no code change to pfBlockerNG.

To do this create new rule with following:
Code: [Select]
Action: Reject
Interface: LAN
Address Family: IPV4
Protocol: TCP
Source: any
Destination: Single host or alias 127.0.0.1
Destination port range: custom 8443 (in both custom fields)
Give it a name and press Save.
Don't forget to move this rule before any rules that would allow this traffic.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +820/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #4 on: February 27, 2017, 08:34:06 pm »
@bole5

Can you change the code as indicated (utilizing 0.0.0.0) and see if that fixes your cert errors. I don't have many Apple devices to test with, so any help testing would be appreciated. Will need to run a "Force Reload - DNSBL" for it to take effect.

Any other users feedback welcome also...

Thanks!
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline bole5

  • Newbie
  • *
  • Posts: 11
  • Karma: +7/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #5 on: February 28, 2017, 01:34:03 am »
I just tested with 0.0.0.0. After modifying the /usr/local/pkg/pfblockerng/pfblockerng.inc I verified that the force update worked:
Code: [Select]
#head -10 /var/unbound/pfb_dnsbl.conf
local-data: "007-gateway.com 60 IN A 0.0.0.0"
local-data: "00zasdf.pw 60 IN A 0.0.0.0"
local-data: "04dn8g4f.space 60 IN A 0.0.0.0"
local-data: "0755.pics 60 IN A 0.0.0.0"
local-data: "07zq44y2tmru.xyz 60 IN A 0.0.0.0"
local-data: "0emn.com 60 IN A 0.0.0.0"
local-data: "0fmm.com 60 IN A 0.0.0.0"
local-data: "0icep80f.com 60 IN A 0.0.0.0"
local-data: "0llii0g6.com 60 IN A 0.0.0.0"
local-data: "0pixl.com 60 IN A 0.0.0.0"

Then I went to amazon.de in both Safari and Chrome on my MacBook and no more annoying certificate error.

Just to verify time it needed to run the request I copied the Ad link as cUrl and run in the terminal. Here is what I get instantly:
Code: [Select]
$ curl 'https://aax-eu.amazon-adsystem.com/e/xsp/getAd?slot=desktop-ad-center-2&rid=01010de2fa3142bbf24492371c23e1a48121a47315d92fa3142bbf24492372fa3142b' \
→ -XGET \
→ -H 'Referer: https://www.amazon.de/' \
→ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8' \
→ -H 'Origin: https://www.amazon.de'
*   Trying 0.0.0.0...
* connect to 0.0.0.0 port 443 failed: Connection refused
* Failed to connect to aax-eu.amazon-adsystem.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to aax-eu.amazon-adsystem.com port 443: Connection refused

So to conclude changing address to 0.0.0.0 worked on OSX (10.11.6) in Safari and Chrome.

Offline Hopsdaballa04

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #6 on: March 02, 2017, 07:54:53 am »
I replaced the line in the .inc file to match $domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";
 
But I still see the cert issue popping up in iOS and MacOS.   I'm not sure what I didn't do right, I restarted the service and did a force reload in pfblockerng but I'm still seeing the errors.  When I apply the suggested firewall rule it works, so not sure if I just botched something up.  Can you give me a step by step of what to change again?

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +820/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #7 on: March 02, 2017, 10:28:00 am »
Did you run a "Force Reload - DNSBL" for the change to take effect? You also might have cached DNS responses in your browser and OS causing issues. Someone also mentioned that you might need to clear out any DNSBL certificate approvals in your browser.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline HeMaN

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #8 on: March 13, 2017, 04:25:51 am »
You could edit the code and use 0.0.0.0 instead of the DNSBL VIP... but that will also negate any logging capabilities...

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L3609

/usr/local/pkg/pfblockerng/pfblockerng.inc

Change this line #3609:
Code: [Select]
$domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n";
To:
Code: [Select]
$domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";

Upcoming version will allow mixing of the DNSBL VIP and 0.0.0.0 so that the domains that are causing these erorrs, can utilize 0.0.0.0 whilst all others use the DNSBL VIP and the logging remains intact...  or if you didn't want to log the blocked alerts....

Hi @BBcan177, thnx for the great work on pfBlockerNG!

I also ran into the issue of the warning about the certificate not belonging to the site and not being trusted.

Did some research on the web and found several statements about using a generic self signed certificate for all redirected traffic, and that the solution would be to create certificates for the domains on the fly with a certificate known/trusted by the users.

I only switched to using pfSense a week ago, and was using an Asus router with wrt-Merlin firmware before.
On this router I also had a "tool" installed for dns based ad-blocking called AB-Solution (https://www.snbforums.com/threads/release-ab-solution-3-6-5-the-ad-blocking-solution.37511/).
The beauty of this tool is amongst others the option to use pixelsrv-tls. This is a 1*1 pixel server also capable of https.
It does also create on-the-fly certificates specific for the https-urls being blocked. (https://github.com/kvic-z/pixelserv-tls)
No more annoying certificate warnings in my browser for any blocked site (after I installed the used CA-certificate of course)

I am absolutely no programmer, but maybe this is something worth to look into if it is possible to incorporate this functionality with pfBlockerNG?
If on the fly certificate creation is possible on a small home router, it should also be possible on a better utilised pfSense system ;)
« Last Edit: March 13, 2017, 04:32:31 am by HeMaN »

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +820/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #9 on: March 13, 2017, 02:47:50 pm »
Thanks for the links... It's not something that I would want for the package... MITM anything is bad in my books :)
I am working on improving this issue... So stay tuned...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline HeMaN

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #10 on: March 14, 2017, 03:12:58 am »
Thanks for the links... It's not something that I would want for the package... MITM anything is bad in my books :)
I am working on improving this issue... So stay tuned...

OK thnx! I will stay tuned ;)

Just to be sure, it is not mitm that pixelserv-tls is doing.
It is a webserver only serving a transparant 1*1 pixel for requests made to that server (redirected to the pixelserv-tls  ip by dns blocklist), and also capable of generating a certificate for that pixel when the request was made with https.

All traffic that is not dns-blocked/redirected never go through the pixelserv-tls server.

Offline motific

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +4/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #11 on: March 19, 2017, 08:36:59 am »
Creating custom certs for domains you don't own is a MITM method.

Not that it would work for google.com as they use HSTS preloading and public-key pinning.  Browser makers bake information about the certificate chain for some sites into the package/installation.  The browser knows about the certs it should be expecting for those sites before a request is even made and will warn the user if the certificate has been tampered with.

Offline Sekrit

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #12 on: April 07, 2017, 10:07:49 am »
@bole5

Can you change the code as indicated (utilizing 0.0.0.0) and see if that fixes your cert errors. I don't have many Apple devices to test with, so any help testing would be appreciated. Will need to run a "Force Reload - DNSBL" for it to take effect.

Any other users feedback welcome also...

Thanks!

Hi BBcan,
I was able to fix the certificate invalid errors in Safari by editing the pfblockerng.inc. Is this a one time fix or needs to be done on every update?  Could you create a GUI option for this very annoying problem for Safari users? 
Thanks
 

« Last Edit: April 07, 2017, 10:13:42 am by Sekrit »
pfSense 2.3.3-p1 (PFblockerNG, Snort, Squid).  VMware on Supermicro X11SSH-LN4F, Xeon E3-1425 v5, 16Gb

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +820/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #13 on: April 10, 2017, 10:35:35 am »
Could you create a GUI option for this very annoying problem for Safari users? 

It's already in the beta of the next release... stay tuned!
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Sekrit

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #14 on: April 23, 2017, 06:31:17 pm »
After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.
« Last Edit: April 23, 2017, 07:07:14 pm by Sekrit »
pfSense 2.3.3-p1 (PFblockerNG, Snort, Squid).  VMware on Supermicro X11SSH-LN4F, Xeon E3-1425 v5, 16Gb