Diversion Type 65 Blocking killing website loading of certain sites

Zastoff

Very Senior Member
The links you provided in your post works fine for me and i have type 65 blocked with diversion. (Tested from my android phone)
 

Zastoff

Very Senior Member
Tested those sites on my windows pc as well now and it worked fine again.
Maybe a mac os / browser related issue/requirement.
 

ComputerSteve

Senior Member
As well as some others.
Tested those sites on my windows pc as well now and it worked fine again.
Maybe a mac os / browser related issue/requirement.
I appreciate you testing however as i'm saying i'm having this problem with Apple Devices. / Windows / Android i'm not using.
 

JemTheWire

Senior Member
Well, I can access those sites via my iPad and iPhone with Type 65 blocking enabled.
 

Treadler

Very Senior Member

Mutzli

Very Senior Member
Did you try a different browser in Mac OS? Both sites work from my location as well.
 

chongnt

Very Senior Member
When I saw this post, I was using mobile data with vpn connected back to home Asus router. DNS query type 65 is blocked and I can load both sites.
However, when I get home and connect directly to the router over wifi, I can reproduce the issue. o_O.
I try to disable adblock, unbound, etc, removed type 65 blocking rule and then do packet capture when the page are loading properly. Somehow I cannot find the matching hex-string 0000410001.
A couple of months ago @SomeWhereOverTheRainBow suggest to me to get rid of the rule in INPUT chains and keep the rules in OUTPUT chain instead. With this, the page can load properly. Perhaps @ComputerSteve want to give this a try if you have the time?

Code:
##ipv4
iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

##ipv6
ip6tables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns
 

ComputerSteve

Senior Member
When I saw this post, I was using mobile data with vpn connected back to home Asus router. DNS query type 65 is blocked and I can load both sites.
However, when I get home and connect directly to the router over wifi, I can reproduce the issue. o_O.
I try to disable adblock, unbound, etc, removed type 65 blocking rule and then do packet capture when the page are loading properly. Somehow I cannot find the matching hex-string 0000410001.
A couple of months ago @SomeWhereOverTheRainBow suggest to me to get rid of the rule in INPUT chains and keep the rules in OUTPUT chain instead. With this, the page can load properly. Perhaps @ComputerSteve want to give this a try if you have the time?

Code:
##ipv4
iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

##ipv6
ip6tables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns
Should I do those commands with type 65 enabled or disabled?
 

ComputerSteve

Senior Member
So i'm a novice really at this.. Where exactly do I run this command? When I login to ssh on mac terminal then paste this iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns ... Nothing happens.
 

ComputerSteve

Senior Member
All I know is it’s something with diversion. When I disable diversion the sites listed above and after playing with things I narrowed it down to the setting type 65. If I have that disabled the sites work. As soon as I enable that setting it doesn’t.
 

Viktor Jaep

Very Senior Member
Maybe the @thelonelycoder can chime in on what might be happening. I love diversion I’m just noticing that something isn’t working correctly. At least for me.
I don't supposed you added microsoft.com to the diversion whitelist, did you? That might solve this issue on a case-by-case basis?
 

ComputerSteve

Senior Member
I don't supposed you added microsoft.com to the diversion whitelist, did you? That might solve this issue on a case-by-case basis?
But why do I need to do that? I don't need to do that when I have Type 65 blocking disabled. Meaning now I would need a white list for just type 65 blocking lol.
 

SomeWhereOverTheRainBow

Part of the Furniture
So i'm a novice really at this.. Where exactly do I run this command? When I login to ssh on mac terminal then paste this iptables -a OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns ... Nothing happens.
So give it a try, disable your type65 option in diversion, and input these rules

Code:
##ipv4
iptables -I OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns 
##ipv6
ip6tables -I OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

Into the plain ssh terminal. From here switch to your test platform of choice to see if the rules are working properly. If they are let us know and we will move on to the next step of placing the rules in a more permanent place such as firewall start.
 

ComputerSteve

Senior Member
but when I enter that command it just looks like nothing happened meaning I get no output in the ssh shell it just goes to a new line /tmp/home/root#
 

SomeWhereOverTheRainBow

Part of the Furniture
but when I enter that command it just looks like nothing happened meaning I get no output in the ssh shell it just goes to a new line /tmp/home/root#
That is normal. You would see no output if the rule worked.

What is the output of

iptables-save

If you see the rule in that output list, then it took the rule.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top