Feedback on issues with DNSFW in CU201 Testing

Feedback on issues with DNSFW in CU201 Testing

[Adolf Belka]

Hi All,

I am having issues with getting DNSFW to work properly, it fails in many conditions to block things from the list.

The dbl list works fine for me in the URL Filter for both CU200 and CU201 Testing.

For my testing I created a new install of CU201 Testing and just went straight to DNSFW and enabled the Gambling and Pornography categories and Saved.

Then selected the Green network for both categories using the pencil edit option.

In this setup I had no Web Proxy enabled.

I then cleared the browser cache and set the Browser to No Proxy.

I then tested out nl.onecasino.com and www.xnxx.com in Firefox and in Netsurf

The gambling site was blocked and gave the message

Unable to connect
Firefox can’t establish a connection to the server at nl.onecasino.com.

For the porn site it was not blocked but opened up.
I tried with two other gambling and porn sites. All three gambling sites were blocked. All three porn sites were allowed through.

In the DND: Unbound System Logs I found

12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44247 www.postcodeloterij.nl. A IN
12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44356 www.postcodeloterij.nl. HTTPS IN
12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@55955 nl.onecasino.com. A IN
12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@49136 nl.onecasino.com. HTTPS IN
12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@47229 welkom.hollandcasino.nl. A IN
12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@43346 welkom.hollandcasino.nl. HTTPS IN

So the blocked gambling sites were in the logs but not any of the pornography sites  had tested.

Then tried the browser with the Network Settings set to Use system proxy settings and the same result occurred.

I then turned on the Web Proxy with conventional connection on port 800. Saved and restarted and then Cleared the web proxy cache.
Then I cleared the browser cache and set the Network Settings to Manual proxy configuration with the IP of my IPFire system being tested.

I then tested the same three gambling URL's and Porn URL's.
All of the sites were opened up.
In the DNS: Unbound system log there were no new entries.
In the Proxy Logs there were entries for the gambling and porn sites.

I have also tested the browser out using the web proxy with the Automatic proxy configuration URL accessing the wpad file via dhcp and that also had the same results as using the Manual proxy configuration option.

I have repeated a lot of my tests multiple times, also with repeated new installs and for me, as long as I ensured I had cleared the web proxy and browser caches, always came up with the same results as I have described above.

It would be good to know if any of you also experience the same effect or if it works without problems for yourselves.

Regards,

Adolf.

Re: Feedback on issues with DNSFW in CU201 Testing

[Michael Tremer]

Hello Adolf,

I am copying the DBL list, too.

So this is obviously not normal, but we can debug this step by step:

First of all, we should check if Unbound was able to successfully fetch the DNS zones. Gambling has clearly been downloaded, but it seems that the Porn list might not. You can check in /var/cache/unbound if there is the zone file. If yes, then you can try to resolve a couple of things on the console and check if they are being blocked:

# dig @localhost some.porn.website.com <http://some.porn.website.com/>

You should see NXDOMAIN if the domain exists and has been blocked and you should see the log entries just like gambling.

This rules out anything that is going wrong between the browser and Unbound.

In case of the URL filter, it simply seems that squidguard is not seeing the requests. You might as well try something like:

# http_proxy=http://1.2.3.4:800 <http://1.2.3.4:800/> https_proxy=http://1.2.3.4:800 <http://1.2.3.4:800/> wget -d http://some.porn.website.com <http://some.porn.website.com/>

The squidguard.log should also contain some interesting information if something didn’t go as planned.

-Michael

> On 20 Mar 2026, at 12:30, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi All,
> 
> I am having issues with getting DNSFW to work properly, it fails in many conditions to block things from the list.
> 
> The dbl list works fine for me in the URL Filter for both CU200 and CU201 Testing.
> 
> For my testing I created a new install of CU201 Testing and just went straight to DNSFW and enabled the Gambling and Pornography categories and Saved.
> 
> Then selected the Green network for both categories using the pencil edit option.
> 
> In this setup I had no Web Proxy enabled.
> 
> I then cleared the browser cache and set the Browser to No Proxy.
> 
> I then tested out nl.onecasino.com and www.xnxx.com in Firefox and in Netsurf
> 
> The gambling site was blocked and gave the message
> 
> Unable to connect
> Firefox can’t establish a connection to the server at nl.onecasino.com.
> 
> For the porn site it was not blocked but opened up.
> I tried with two other gambling and porn sites. All three gambling sites were blocked. All three porn sites were allowed through.
> 
> In the DND: Unbound System Logs I found
> 
> 12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44247 www.postcodeloterij.nl. A IN
> 12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44356 www.postcodeloterij.nl. HTTPS IN
> 12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@55955 nl.onecasino.com. A IN
> 12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@49136 nl.onecasino.com. HTTPS IN
> 12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@47229 welkom.hollandcasino.nl. A IN
> 12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@43346 welkom.hollandcasino.nl. HTTPS IN
> 
> So the blocked gambling sites were in the logs but not any of the pornography sites  had tested.
> 
> Then tried the browser with the Network Settings set to Use system proxy settings and the same result occurred.
> 
> I then turned on the Web Proxy with conventional connection on port 800. Saved and restarted and then Cleared the web proxy cache.
> Then I cleared the browser cache and set the Network Settings to Manual proxy configuration with the IP of my IPFire system being tested.
> 
> I then tested the same three gambling URL's and Porn URL's.
> All of the sites were opened up.
> In the DNS: Unbound system log there were no new entries.
> In the Proxy Logs there were entries for the gambling and porn sites.
> 
> I have also tested the browser out using the web proxy with the Automatic proxy configuration URL accessing the wpad file via dhcp and that also had the same results as using the Manual proxy configuration option.
> 
> I have repeated a lot of my tests multiple times, also with repeated new installs and for me, as long as I ensured I had cleared the web proxy and browser caches, always came up with the same results as I have described above.
> 
> It would be good to know if any of you also experience the same effect or if it works without problems for yourselves.
> 
> Regards,
> 
> Adolf.
> 
> 

Re: Feedback on issues with DNSFW in CU201 Testing

[Adolf Belka]

Hi Michael,

On 20/03/2026 16:56, Michael Tremer wrote:
> Hello Adolf,
> 
> I am copying the DBL list, too.

Good idea. I was just thinking of it being related to Testing issue.
> 
> So this is obviously not normal, but we can debug this step by step:
> 
> First of all, we should check if Unbound was able to successfully fetch the DNS zones. Gambling has clearly been downloaded, but it seems that the Porn list might not. You can check in /var/cache/unbound if there is the zone file. If yes, then you can try to resolve a couple of things on the console and check if they are being blocked:

I should have already mentioned this but forgot. It was one of the first things I checked and I have just re-confirmed now. The porn zone file is present. It was updated at 11:40 CET and the Gambling zone was updated at 12:53 CET.

I also checked that the zone file contained the url's being used and it did and does.

> 
> # dig @localhost some.porn.website.com <http://some.porn.website.com/>
> 
> You should see NXDOMAIN if the domain exists and has been blocked and you should see the log entries just like gambling.

Got

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

So NXDOMAIN is in the answer but there was nothing additional in the unbound log. The last entry in it was from 12:58:50 when I did the tests with the gambling sites and if there was an entry it should have a timestamp for around 17:45

> 
> This rules out anything that is going wrong between the browser and Unbound.
> 
> In case of the URL filter, it simply seems that squidguard is not seeing the requests. You might as well try something like:

With the URL Filter enabled and DNSFW disabled then the URL Filter blocks and logs both the Gambling and Porn site accesses. Sorry if that came across as differently in my mail. The URL Filter works fine for me with both CU200 and CU201 Testing.

> 
> # http_proxy=http://1.2.3.4:800 <http://1.2.3.4:800/> https_proxy=http://1.2.3.4:800 <http://1.2.3.4:800/> wget -d http://some.porn.website.com <http://some.porn.website.com/>
> 
> The squidguard.log should also contain some interesting information if something didn’t go as planned.
> 
> -Michael
> 
>> On 20 Mar 2026, at 12:30, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi All,
>>
>> I am having issues with getting DNSFW to work properly, it fails in many conditions to block things from the list.
>>
>> The dbl list works fine for me in the URL Filter for both CU200 and CU201 Testing.
>>
>> For my testing I created a new install of CU201 Testing and just went straight to DNSFW and enabled the Gambling and Pornography categories and Saved.
>>
>> Then selected the Green network for both categories using the pencil edit option.
>>
>> In this setup I had no Web Proxy enabled.
>>
>> I then cleared the browser cache and set the Browser to No Proxy.
>>
>> I then tested out nl.onecasino.com and www.xnxx.com in Firefox and in Netsurf
>>
>> The gambling site was blocked and gave the message
>>
>> Unable to connect
>> Firefox can’t establish a connection to the server at nl.onecasino.com.
>>
>> For the porn site it was not blocked but opened up.
>> I tried with two other gambling and porn sites. All three gambling sites were blocked. All three porn sites were allowed through.
>>
>> In the DND: Unbound System Logs I found
>>
>> 12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44247 www.postcodeloterij.nl. A IN
>> 12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44356 www.postcodeloterij.nl. HTTPS IN
>> 12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@55955 nl.onecasino.com. A IN
>> 12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@49136 nl.onecasino.com. HTTPS IN
>> 12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@47229 welkom.hollandcasino.nl. A IN
>> 12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@43346 welkom.hollandcasino.nl. HTTPS IN
>>
>> So the blocked gambling sites were in the logs but not any of the pornography sites  had tested.
>>
>> Then tried the browser with the Network Settings set to Use system proxy settings and the same result occurred.
>>
>> I then turned on the Web Proxy with conventional connection on port 800. Saved and restarted and then Cleared the web proxy cache.
>> Then I cleared the browser cache and set the Network Settings to Manual proxy configuration with the IP of my IPFire system being tested.
>>
>> I then tested the same three gambling URL's and Porn URL's.
>> All of the sites were opened up.
>> In the DNS: Unbound system log there were no new entries.
>> In the Proxy Logs there were entries for the gambling and porn sites.
>>
>> I have also tested the browser out using the web proxy with the Automatic proxy configuration URL accessing the wpad file via dhcp and that also had the same results as using the Manual proxy configuration option.
>>
>> I have repeated a lot of my tests multiple times, also with repeated new installs and for me, as long as I ensured I had cleared the web proxy and browser caches, always came up with the same results as I have described above.
>>
>> It would be good to know if any of you also experience the same effect or if it works without problems for yourselves.
>>
>> Regards,
>>
>> Adolf.
>>
>>
> 
>