Netgate SG-1000 microFirewall

Author Topic: DNSBL Certificate errors  (Read 5862 times)

0 Members and 1 Guest are viewing this topic.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #15 on: April 23, 2017, 10:12:10 pm »
After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default... The next release should have this fix built-in...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline SLIMaxPower

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #16 on: May 28, 2017, 04:03:38 am »
I followed this guide and dropbox is refused to connect.

DNSBL

May 28 14:34:43   Unknown   Unknown        www.google-analytics.com   
   Not available for HTTPS alerts

May 28 14:19:03   Unknown   Unknown        www.dropbox.com   
   Not available for HTTPS alerts

both show the domains are in the whitelist.

If and Source and Unknown and list shows no match.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #17 on: May 28, 2017, 06:40:20 pm »
Can you post a screenshot of the Whitelist and the Alerts Tab showing these blocked domains.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline SLIMaxPower

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #18 on: June 02, 2017, 02:54:59 am »
Currently the domains are whitelisted in the custom domain whitelist. Is this correct or should they go in the TLD whitelist

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #19 on: June 03, 2017, 10:52:39 am »
Currently the domains are whitelisted in the custom domain whitelist. Is this correct or should they go in the TLD whitelist

The Custom Domain Whitelist is used to "whitelist" domains...

The TLD Whitelist is only used in combination with TLD Blacklist... An example of that would be where you want to block all "ru" domains with TLD Blacklist, but you want to allow certain ru domains to get thru.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline GoldServe

  • Sr. Member
  • ****
  • Posts: 301
  • Karma: +1/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #20 on: July 07, 2017, 10:52:11 am »
What is the option to not serve up a https image to avoid certificate errors in 2.1.1_8?

Offline Matze_

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #21 on: July 27, 2017, 07:44:52 am »
Quote
[ DNSBL FAIL ] [ Skipping : SuspiciousDomains ]

What feed URL are you using? There are three options available:

https://isc.sans.edu/feeds/suspiciousdomains_High.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt

Otherwise check that you didn't copy/paste the new patched line incorrectly...
« Last Edit: July 27, 2017, 07:35:46 pm by BBcan177 »

Offline Sekrit

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #22 on: August 22, 2017, 07:58:42 pm »
After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default... The next release should have this fix built-in...

BBcan,
Just installed the next release and certificate error has returned.  :(
pfSense 2.3.3-p1 (PFblockerNG, Snort, Squid).  VMware on Supermicro X11SSH-LN4F, Xeon E3-1425 v5, 16Gb

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: DNSBL Certificate errors
« Reply #23 on: August 22, 2017, 08:00:10 pm »
After 2 weeks, I started getting certificate errors again.  Strangely, pfblockerng.inc reverted to the original (dnsbl_vip).  I replaced it and it works again.

If you make manual changes to the pfblockerng.inc file, those will be lost on a pkg installation. So you most likely installed v2.1.1_8 which reset the file back to default... The next release should have this fix built-in...

BBcan,
Just installed the next release and certificate error has returned.  :(

Sorry to get your hopes up... but the last release was just a small patch...  Not quite finished with it yet...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline kjstech

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #24 on: September 07, 2017, 07:41:37 pm »
The firewall rule worked!  I changed my DNSBL SSL port to 8082 though since I have a Unifi controller running on my pfsense box on 8443. 


Offline kvic

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #25 on: October 11, 2017, 01:03:39 pm »
Thanks for the links... It's not something that I would want for the package... MITM anything is bad in my books :)
I am working on improving this issue... So stay tuned...

You can decide what to include in your package. But pixelserv-tls is _not_ MITM blah.

Offline kvic

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #26 on: October 11, 2017, 01:06:11 pm »
Creating custom certs for domains you don't own is a MITM method.

Not that it would work for google.com as they use HSTS preloading and public-key pinning.  Browser makers bake information about the certificate chain for some sites into the package/installation.  The browser knows about the certs it should be expecting for those sites before a request is even made and will warn the user if the certificate has been tampered with.

First time I hear such a definition of MITM. Maybe you have a point. Perhaps blocking ad by poisoning DNS record shall be in this category too.

Your understanding of HSTS and what's built in chrome/firefox doesn't seem right to me.

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 228
  • Karma: +11/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #27 on: October 11, 2017, 04:59:38 pm »
Just my 2 cents not sure of implications but since upgrading to IOS 11.0.3(including the 3 IOS updates in the last 2-3 weeks), I used to get a pop-up's on my iPhone safari...now I get a "safari cannot open...could not establish a secure connection...".

In firefox on Linux I got redirected to a certificate error...went thru and made an exception...now I get the 1x1 pixel page.

I'll take a cert error or 1x1 pixel page...just no spying!!!

I love you BBCAN!

Offline NasKar

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +1/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #28 on: October 21, 2017, 10:08:54 am »
I've tried
Action: Reject
Interface: LAN
Address Family: IPV4
Protocol: TCP
Source: any
Destination: Single host or alias 127.0.0.1 or 10.10.10.1
Destination port range: custom 8443 (in both custom fields)

DNSBL configuration
DNSBL Virtual IP 127.0.0.1 or 10.10.10.1

It does prevent the certificate errors but doesn't block the ads on the yahoo.com home page on ipad or macbook pro

If I edit the code in the on line 3636 in /usr/local/pkg/pfblockerng/pfblockerng.inc to
Code: [Select]
  $domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";
No certificate error but doesn't block the ads on yahoo.com home page on ipad or mackbook pro
I did reload the DNSBL.
My version of pfBlockerNG is 2.1.2

Not sure what I'm doing incorrectly.
Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
2 Gigs Ram
SSD with ver 2.4.0
IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

Offline repomanz

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: DNSBL Certificate errors
« Reply #29 on: October 29, 2017, 07:12:38 pm »
Hi folks - I was wondering if others that have upgraded to pfsense 2.4.1 are having the certificate errors again?  Previously in 2.3.4 the solution described above was working fine with the lan rule blocking any traffic to the dnsbl vip.   Post upgrade to 2.4.1 I'm getting certificate errors again from my AV solution.  This began happening immediately after upgrade of pfsense to 2.4.1.

Anyone else having this trouble?