From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fcnH81BQSz335T for ; Fri, 20 Mar 2026 15:56:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fcnGw3Vrrz2xHh; Fri, 20 Mar 2026 15:56:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fcnGt5FJlz3ry; Fri, 20 Mar 2026 15:56:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1774022166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yY6eOfRgkBW2zfAbsz7M9f50blS+afuO/EoFPK9IWG8=; b=5RiolKMkwSUuheAuB/EQ1uvEgxrlWEY2lBSF3zxqQnOkbPHo93qFrq3lbb+Ooba5jzXL2I TPOiTd8EUAJB+EBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1774022166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yY6eOfRgkBW2zfAbsz7M9f50blS+afuO/EoFPK9IWG8=; b=lYFLn/+op2DZKgWpbY6xrMY+ed0SRHlkGUWsIeBmT7oyJEEG+eD9iUDdHO/VFz0lR+2dEs xOCRJpob0pXwT05+w6p0wR79mkIDrK5HFrBgG1Ck3Md8MvkPHlRbum2BCV1TN7EtxzeJZz xc4RxRuTZIQblISQrNOGSYHJdcuyBBU26tssJW1SHgjTGQCScsAgWhEeuzfwC39TRckBmE ca/ELROVZDW+6jBmcc23UoDt3NrJ/ejw5jRREs0gCjmMri53oTEA5/jx9idEGKEwKgLDtw GTvLtPKPi/JzAwvz2Wtmbdbt0M/ZegCzxYyWglss7W8kfLpcvQwy7FNjXruw+Q== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: Feedback on issues with DNSFW in CU201 Testing From: Michael Tremer In-Reply-To: Date: Fri, 20 Mar 2026 15:56:06 +0000 Cc: "IPFire: Development-List" , dbl@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: <9786EB04-D529-48D2-9BB6-AEF37B246714@ipfire.org> References: To: Adolf Belka Hello Adolf, I am copying the DBL list, too. So this is obviously not normal, but we can debug this step by step: First of all, we should check if Unbound was able to successfully fetch = the DNS zones. Gambling has clearly been downloaded, but it seems that = the Porn list might not. You can check in /var/cache/unbound if there is = the zone file. If yes, then you can try to resolve a couple of things on = the console and check if they are being blocked: # dig @localhost some.porn.website.com You should see NXDOMAIN if the domain exists and has been blocked and = you should see the log entries just like gambling. This rules out anything that is going wrong between the browser and = Unbound. In case of the URL filter, it simply seems that squidguard is not seeing = the requests. You might as well try something like: # http_proxy=3Dhttp://1.2.3.4:800 = https_proxy=3Dhttp://1.2.3.4:800 wget -d = http://some.porn.website.com The squidguard.log should also contain some interesting information if = something didn=E2=80=99t go as planned. -Michael > On 20 Mar 2026, at 12:30, Adolf Belka wrote: >=20 > Hi All, >=20 > I am having issues with getting DNSFW to work properly, it fails in = many conditions to block things from the list. >=20 > The dbl list works fine for me in the URL Filter for both CU200 and = CU201 Testing. >=20 > For my testing I created a new install of CU201 Testing and just went = straight to DNSFW and enabled the Gambling and Pornography categories = and Saved. >=20 > Then selected the Green network for both categories using the pencil = edit option. >=20 > In this setup I had no Web Proxy enabled. >=20 > I then cleared the browser cache and set the Browser to No Proxy. >=20 > I then tested out nl.onecasino.com and www.xnxx.com in Firefox and in = Netsurf >=20 > The gambling site was blocked and gave the message >=20 > Unable to connect > Firefox can=E2=80=99t establish a connection to the server at = nl.onecasino.com. >=20 > For the porn site it was not blocked but opened up. > I tried with two other gambling and porn sites. All three gambling = sites were blocked. All three porn sites were allowed through. >=20 > In the DND: Unbound System Logs I found >=20 > 12:52:26 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain = 192.168.200.11@44247 www.postcodeloterij.nl. A IN > 12:52:26 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain = 192.168.200.11@44356 www.postcodeloterij.nl. HTTPS IN > 12:51:32 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain = 192.168.200.11@55955 nl.onecasino.com. A IN > 12:51:32 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain = 192.168.200.11@49136 nl.onecasino.com. HTTPS IN > 12:50:41 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain = 192.168.200.11@47229 welkom.hollandcasino.nl. A IN > 12:50:41 unbound: [1820:0] info: rpz: applied = [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain = 192.168.200.11@43346 welkom.hollandcasino.nl. HTTPS IN >=20 > So the blocked gambling sites were in the logs but not any of the = pornography sites had tested. >=20 > Then tried the browser with the Network Settings set to Use system = proxy settings and the same result occurred. >=20 > I then turned on the Web Proxy with conventional connection on port = 800. Saved and restarted and then Cleared the web proxy cache. > Then I cleared the browser cache and set the Network Settings to = Manual proxy configuration with the IP of my IPFire system being tested. >=20 > I then tested the same three gambling URL's and Porn URL's. > All of the sites were opened up. > In the DNS: Unbound system log there were no new entries. > In the Proxy Logs there were entries for the gambling and porn sites. >=20 > I have also tested the browser out using the web proxy with the = Automatic proxy configuration URL accessing the wpad file via dhcp and = that also had the same results as using the Manual proxy configuration = option. >=20 > I have repeated a lot of my tests multiple times, also with repeated = new installs and for me, as long as I ensured I had cleared the web = proxy and browser caches, always came up with the same results as I have = described above. >=20 > It would be good to know if any of you also experience the same effect = or if it works without problems for yourselves. >=20 > Regards, >=20 > Adolf. >=20 >=20