failed to block list of domains

[molitona]

I followed https://github.com/evilsocket/opensnitch/wiki/block-lists#how-to-add-a-global-rule-to-block-ads-or-trackers exactly. But, it's not working. Visiting block-test.developerdan.com shows

Include the following information:

• OpenSnitch version: 1.5.0
• OS: ArchLinux
• Window Manager: Gnome Shell
• Kernel version: 5.16.10-arch1-1

systemctl status opensnitch shows

Feb 28 19:16:07 Unknown opensnitchd[178690]: [2022-02-28 18:16:07]  INF  loading domains lists: lists, lists.domains, /media/rules/ads-list
Feb 28 19:16:07 Unknown opensnitchd[178690]: [2022-02-28 18:16:07]  INF  monitor lists started: /media/rules/ads-list
Feb 28 19:16:07 Unknown opensnitchd[178690]: [2022-02-28 18:16:07]  INF  clearing domains lists: 0 - /media/rules/ads-list
Feb 28 19:16:07 Unknown opensnitchd[178690]: [2022-02-28 18:16:07]  INF  407526 domains loaded, /media/rules/ads-list/ads-and-tracking-extended.txt
Feb 28 19:16:07 Unknown opensnitchd[178690]: [2022-02-28 18:16:07]  INF  1 lists loaded, 407526 domains, 0 duplicated

/var/log/opensnitch file doesn't store any new log since [2021-09-03 08:18:45] . I dunno why ?

[gustavo-iniguez-goya]

Hi @molitona ,

What's the name of the rule that should block ads domains? is [x] Priority rule marked?

If you double click on the rule, are there domains blocked by that rule?

What domain resolver are you using? Can you post your /etc/resolv.conf ? If it contains entries pointing to 127.0.0.1 or similar, could you change it by 1.1.1.1 and see if it's blocked?

Also, a simple telnet or curl to that domain will tell you if it's working or not:

$ telnet block-test.developerdan.com 80
telnet: could not resolve block-test.developerdan.com/80: Name or service not known

[molitona]

What's the name of the rule that should block ads domains? is [x] Priority rule marked?

If you double click on the rule, are there domains blocked by that rule?

No, nothing.

/etc/resolv.conf contains

# Generated by NetworkManager
nameserver 127.0.0.1

In fact, I'm using stubby for DNS over TLS. I set dns server as 127.0.0.1 in network manager after configuring stubby to get it work.

Also, a simple telnet or curl to that domain will tell you if it's working or not:

 % telnet block-test.developerdan.com 80             
Trying 188.114.96.0...
Connected to block-test.developerdan.com.
Escape character is '^]'.
d
HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Tue, 01 Mar 2022 22:00:07 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
Connection closed by foreign host.

[gustavo-iniguez-goya]

In fact, I'm using stubby for DNS over TLS

This is a known problem.

Try it out please with the dns server 1.1.1.1 (or 9.9.9.9, whatever except 127.0.0.1), only to verify that the rule works: /etc/resolv.conf' -> ' nameserver 1.1.1.1 (by the way, [x] Enable .. just in case O:])

If it works with 1.1.1.1, then compile the opensnitch-dns.o module following these instructions: https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog

If you want I can compile it for you.

[molitona]

I selected Enable, tried both 1.1.1.1 and 9.9.9.9 and got the same result.

[gustavo-iniguez-goya]

Ok, the first thing is to remove systemd-resolved from the equation.

• Stop systemd-resolved completely: $ sudo systemctl stop systemd-resolved
• Change nameserver to 1.1.1.1 in /etc/resolv.conf
• Double click on the rule to open the detail view of that rule.
• Open any web site with a web browser (www.businessinsider.com, forbes.com, amazon.com, etc).
• domains should start appearing on the rule's detail view.

If the test domain is not blocked and the rule view shows 0 domains blocked:

• Disable and Enable the rule and test again.
• Still not blocked? Restart the daemon: $ sudo systemctl restart opensnitchd
• Still not blocked? Verify that the test domain is present in the list: $ grep block-test.developerdan.com /media/rules/ads-list/ads-and-tracking-extended.txt

Set log level to DEBUG while you reproduced it, and post it to the issue please.

[molitona]

Hi @gustavo-iniguez-goya. Before testing that. I've a little problem I mentioned later. Since [2021-09-03 08:18:45 no log is appended to /var/log/opensitchd.log. Even, after setting it to DEBUG nothing added there...

[gustavo-iniguez-goya]

oops, that's really strange.

Is the daemon running? $ pgrep -a opensnitchd

If it's not running, try launching it from a terminal as root: # /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules

If it's running, restart it: service opensnitchd restart

LogLevel should be set to 0 in /etc/opensnitchd/default-config.json

[molitona]

It's running and log level set to 2 but it's not logging.

Mar 12, 2022, 01:11 by @.***:

oops, that's really strange.

Is the daemon running? > $ pgrep -a opensnitchd

If it's not running, try launching it from a terminal as root: > # /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules

If it's running, restart it: > service opensnitchd restart

LogLevel should be set to 0 in > /etc/opensnitchd/default-config.json

— Reply to this email directly, > view it on GitHub https://github.com/evilsocket/opensnitch/issues/639#issuecomment-1065697300> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AIPC4MN6IJEYBY4QFZJDCVLU7POJJANCNFSM5PR3RAEA> . Triage notifications on the go with GitHub Mobile for > iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or > Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you were mentioned.> Message ID: > <evilsocket/opensnitch/issues/639/1065697300> @> github> .> com>

[gustavo-iniguez-goya]

Ok. If you set log level to DEBUG from the GUI, LogLevel in /etc/opensnitchd/default-config.json should be 0. If configuring log level to DEBUG doesn't change LogLevel value, then something is broken in your installation.

I suggest you to reinstall opensnitch.

[molitona]

It showed me that msg when changing it from GUI

I modified it in json file directly and logging works

[gustavo-iniguez-goya]

Regarding that error, you need to install AUR opensnitch-ebpf-module: https://aur.archlinux.org/packages/opensnitch-ebpf-module

After installing that package, please, follow these steps to debug the problem: https://github.com/evilsocket/opensnitch/issues/639#issuecomment-1062008124

I think the main problem is systemd-resolved

[molitona]

I tried all what you said, no results !

https://pastebin.com/Fk9hJrF1

[gustavo-iniguez-goya]

thanks for the logs @molitona . According to latest entries, you have still systemd-resolved running:

[2022-03-15 19:03:46] DBG /usr/lib/systemd/systemd-resolved -> dns.quad9.net (msystemd-resolved-{TCP,UDP}-53)

I suggest you to perform the following steps:

• Stop systemd-resolved: $ sudo systemctl stop systemd-resolved
• Change nameserver to 1.1.1.1 in /etc/resolv.conf
• Execute the date command: $ date (in order to review the logs easily)
• Restart opensnitchd: $ sudo service opensnitchd restart
• Connect to block-test.developerdan.com: $ telnet block-test.developerdan.com 80

if you want we can talk about this at #opensnitch:matrix.org , otherwise it's going to be really difficult to debug this problem.

[molitona]

Thanks, I'll do. Is opensnitch supposed to block dns requests for the domains in the list only or also blocks tcp requests to 80 and 443 from those domains too ?

[gustavo-iniguez-goya]

opensnitch will block every request to the domains in the list, regardless the port or protocol.

[molitona]

Thanks, it's working now dunno why.

Also, that block-test.developerdan.com is misleading it always picture mentioned in post.

[gustavo-iniguez-goya]

solved.closing.