What's new

Diversion Type 65 Blocking killing website loading of certain sites

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The links you provided in your post works fine for me and i have type 65 blocked with diversion. (Tested from my android phone)
 
Tested those sites on my windows pc as well now and it worked fine again.
Maybe a mac os / browser related issue/requirement.
 
As well as some others.
Tested those sites on my windows pc as well now and it worked fine again.
Maybe a mac os / browser related issue/requirement.
I appreciate you testing however as i'm saying i'm having this problem with Apple Devices. / Windows / Android i'm not using.
 
Well, I can access those sites via my iPad and iPhone with Type 65 blocking enabled.
 
Did you try a different browser in Mac OS? Both sites work from my location as well.
 
When I saw this post, I was using mobile data with vpn connected back to home Asus router. DNS query type 65 is blocked and I can load both sites.
However, when I get home and connect directly to the router over wifi, I can reproduce the issue. o_O.
I try to disable adblock, unbound, etc, removed type 65 blocking rule and then do packet capture when the page are loading properly. Somehow I cannot find the matching hex-string 0000410001.
A couple of months ago @SomeWhereOverTheRainBow suggest to me to get rid of the rule in INPUT chains and keep the rules in OUTPUT chain instead. With this, the page can load properly. Perhaps @ComputerSteve want to give this a try if you have the time?

Code:
##ipv4
iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

##ipv6
ip6tables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns
 
When I saw this post, I was using mobile data with vpn connected back to home Asus router. DNS query type 65 is blocked and I can load both sites.
However, when I get home and connect directly to the router over wifi, I can reproduce the issue. o_O.
I try to disable adblock, unbound, etc, removed type 65 blocking rule and then do packet capture when the page are loading properly. Somehow I cannot find the matching hex-string 0000410001.
A couple of months ago @SomeWhereOverTheRainBow suggest to me to get rid of the rule in INPUT chains and keep the rules in OUTPUT chain instead. With this, the page can load properly. Perhaps @ComputerSteve want to give this a try if you have the time?

Code:
##ipv4
iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

##ipv6
ip6tables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns
Should I do those commands with type 65 enabled or disabled?
 
So i'm a novice really at this.. Where exactly do I run this command? When I login to ssh on mac terminal then paste this iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns ... Nothing happens.
 
All I know is it’s something with diversion. When I disable diversion the sites listed above and after playing with things I narrowed it down to the setting type 65. If I have that disabled the sites work. As soon as I enable that setting it doesn’t.
 
Maybe the @thelonelycoder can chime in on what might be happening. I love diversion I’m just noticing that something isn’t working correctly. At least for me.
I don't supposed you added microsoft.com to the diversion whitelist, did you? That might solve this issue on a case-by-case basis?
 
I don't supposed you added microsoft.com to the diversion whitelist, did you? That might solve this issue on a case-by-case basis?
But why do I need to do that? I don't need to do that when I have Type 65 blocking disabled. Meaning now I would need a white list for just type 65 blocking lol.
 
So i'm a novice really at this.. Where exactly do I run this command? When I login to ssh on mac terminal then paste this iptables -a OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns ... Nothing happens.
So give it a try, disable your type65 option in diversion, and input these rules

Code:
##ipv4
iptables -I OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns 
##ipv6
ip6tables -I OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

Into the plain ssh terminal. From here switch to your test platform of choice to see if the rules are working properly. If they are let us know and we will move on to the next step of placing the rules in a more permanent place such as firewall start.
 
but when I enter that command it just looks like nothing happened meaning I get no output in the ssh shell it just goes to a new line /tmp/home/root#
 
but when I enter that command it just looks like nothing happened meaning I get no output in the ssh shell it just goes to a new line /tmp/home/root#
That is normal. You would see no output if the rule worked.

What is the output of

iptables-save

If you see the rule in that output list, then it took the rule.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top