pfSense Gold Subscription

Author Topic: DNSBL blocks itself  (Read 324 times)

0 Members and 1 Guest are viewing this topic.

Offline lpallard

  • Full Member
  • ***
  • Posts: 275
  • Karma: +4/-0
    • View Profile
DNSBL blocks itself
« on: December 09, 2017, 08:10:28 pm »
Title says it all:  I am using latest DNSBL and recently a bunch of DNSBL feeds have stopped updating because another feed is blocking pfBlockerNG from accessing the feed's addresses.

All feeds are sourced from "https://raw.githubusercontent.com".  So I know the problem is that this domain is blacklisted by another feed but I am not sure which one.  When I try to manually go to "raw.githubusercontent.com" I get the 1x1 pixel of DNSBL which confirms what I thought.

Is there a way to tell DNSBL "don't block what you need"?  I guess one of the feed has recently been updated to include raw.githubusercontent.com because up to last week or so all was fine...

Thanks!

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 702
  • Karma: +96/-2
    • View Profile
Re: DNSBL blocks itself
« Reply #1 on: December 09, 2017, 08:17:21 pm »
And you don't see that domain in Alerts Tab ?
2.3.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_2/Dev, suricata 4.0.1_1

Offline lpallard

  • Full Member
  • ***
  • Posts: 275
  • Karma: +4/-0
    • View Profile
Re: DNSBL blocks itself
« Reply #2 on: December 10, 2017, 10:43:51 am »
Not when DNSBL updates itself with CRON, but when I attempt to access the domain manually I see the alert.  Seems 'https://malc0de.com/bl/BOOT" is the feed that blocks raw.githubusercontent.com

What would be the best (intended) way of allowing access to this domain even if contained on a block list?

In DNSBL I see:

Custom Domain Whitelist
TLD Exclusion List
TLD Whitelist

Which one(s) are intended to allow manual access to a specific address/domain?  What are the differences (in a nutshell) between these ?  For example I dont see the difference between Custom Domain Whitelist and TLD whitelist...  Custom is for single addresses while TLD is for Top level domains only?

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 702
  • Karma: +96/-2
    • View Profile
Re: DNSBL blocks itself
« Reply #3 on: December 10, 2017, 11:45:42 am »
githubusercontent.com is considered a TLD by pfblockerNG
Code: [Select]
grep githubusercontent.com /usr/local/pkg/pfblockerng/dnsbl_tld
githubusercontent.com

So you may put .githubusercontent.com in DNSBL Whitelist if you consider *.githubusercontent.com safe.

If you want to whitelist specific subdomain of githubusercontent.com domain and not the whole subdomain, then you put githubusercontent.com in TLD Exclusion List, do a Force Reload DNSBL.

Then access the URLs again and see what subdomains need to whitelisted
 



2.3.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_2/Dev, suricata 4.0.1_1

Offline BeerCan

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +9/-0
    • View Profile
Re: DNSBL blocks itself
« Reply #4 on: December 10, 2017, 07:01:42 pm »

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 202
  • Karma: +8/-0
    • View Profile
Re: DNSBL blocks itself
« Reply #5 on: December 13, 2017, 12:22:53 pm »
Do you not see the "+" in the alerts tab of pfBlocker, in the DNSBL section? If I get a block in DNSBL I hit the "+" to unblock it....

Offline lpallard

  • Full Member
  • ***
  • Posts: 275
  • Karma: +4/-0
    • View Profile
Re: DNSBL blocks itself
« Reply #6 on: December 16, 2017, 11:23:11 am »
Seems to be fixed now, I added the top domain to the Custom Whitelist but instead of adding the domain manually like

".githubusercontent.com"

I clicked on the + sign on the alert page, and the following domains were added:

.githubusercontent.com
.github.map.fastly.net # CNAME for (raw.githubusercontent.com)

I think the problem was that ".github.map.fastly.net" needed to be added as well. Now its working.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +809/-5
    • View Profile
    • Click for Support
Re: DNSBL blocks itself
« Reply #7 on: December 18, 2017, 09:44:22 pm »
Seems to be fixed now, I added the top domain to the Custom Whitelist but instead of adding the domain manually like

".githubusercontent.com"

I clicked on the + sign on the alert page, and the following domains were added:

.githubusercontent.com
.github.map.fastly.net # CNAME for (raw.githubusercontent.com)

I think the problem was that ".github.map.fastly.net" needed to be added as well. Now its working.

Yes Whitelisting from the Alerts tab is the best, as it will automatically whitelist any CNAMES...

You can still whitelist manually, but you should check for CNAMES... You could use a command as follows to find them:
Code: [Select]
drill example.com @8.8.8.8
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |