Diversion Type 65 Blocking killing website loading of certain sites

[ComputerSteve]

I'm noticing when I enable Type 65 Blocking certain websites stop working.. Example: https://www.microsoft.com/en-us/software-download/windows10ISO or https://www.microsoft.com/software-download/windows11 ... As soon as I disable this option it works instantly. I am running Mac OS X Monterey with Diversion 4.3.2.

 

[Zastoff]

The links you provided in your post works fine for me and i have type 65 blocked with diversion. (Tested from my android phone)

 

[ComputerSteve]

I have verified multiple times on my both macs if I have that feature enabled those sites stop working. As well as others.

 

[Zastoff]

Tested those sites on my windows pc as well now and it worked fine again.
Maybe a mac os / browser related issue/requirement.

 

[ComputerSteve]

As well as some others.

Tested those sites on my windows pc as well now and it worked fine again.
Maybe a mac os / browser related issue/requirement.

I appreciate you testing however as i'm saying i'm having this problem with Apple Devices. / Windows / Android i'm not using.

 

[JemTheWire]

Well, I can access those sites via my iPad and iPhone with Type 65 blocking enabled.

 

[Treadler]

Well, I can access those sites via my iPad and iPhone with Type 65 blocking enabled.

Me too.

 

[Treadler]

I'm noticing when I enable Type 65 Blocking certain websites stop working.. Example: https://www.microsoft.com/en-us/software-download/windows10ISO or https://www.microsoft.com/software-download/windows11 ... As soon as I disable this option it works instantly. I am running Mac OS X Monterey with Diversion 4.3.2.

Type 65 blocked here, I can access both those sites on iPad & Mac.

 

[Mutzli]

Did you try a different browser in Mac OS? Both sites work from my location as well.

 

[chongnt]

When I saw this post, I was using mobile data with vpn connected back to home Asus router. DNS query type 65 is blocked and I can load both sites.
However, when I get home and connect directly to the router over wifi, I can reproduce the issue. .
I try to disable adblock, unbound, etc, removed type 65 blocking rule and then do packet capture when the page are loading properly. Somehow I cannot find the matching hex-string 0000410001.
A couple of months ago @SomeWhereOverTheRainBow suggest to me to get rid of the rule in INPUT chains and keep the rules in OUTPUT chain instead. With this, the page can load properly. Perhaps @ComputerSteve want to give this a try if you have the time?

##ipv4
iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

##ipv6
ip6tables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

 

[ComputerSteve]

When I saw this post, I was using mobile data with vpn connected back to home Asus router. DNS query type 65 is blocked and I can load both sites.
However, when I get home and connect directly to the router over wifi, I can reproduce the issue. .
I try to disable adblock, unbound, etc, removed type 65 blocking rule and then do packet capture when the page are loading properly. Somehow I cannot find the matching hex-string 0000410001.
A couple of months ago @SomeWhereOverTheRainBow suggest to me to get rid of the rule in INPUT chains and keep the rules in OUTPUT chain instead. With this, the page can load properly. Perhaps @ComputerSteve want to give this a try if you have the time?

##ipv4
iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

##ipv6
ip6tables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

Should I do those commands with type 65 enabled or disabled?

 

[chongnt]

Should I do those commands with type 65 enabled or disabled?

With type 65 disabled. That was in the input chain. The new command put the rule in output chain. You will be able to see type 65 query but no reply.

 

[ComputerSteve]

So i'm a novice really at this.. Where exactly do I run this command? When I login to ssh on mac terminal then paste this iptables -A OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns ... Nothing happens.

 

[ComputerSteve]

All I know is it’s something with diversion. When I disable diversion the sites listed above and after playing with things I narrowed it down to the setting type 65. If I have that disabled the sites work. As soon as I enable that setting it doesn’t.

 

[ComputerSteve]

Maybe the @thelonelycoder can chime in on what might be happening. I love diversion I’m just noticing that something isn’t working correctly. At least for me.

 

[Viktor Jaep]

Maybe the @thelonelycoder can chime in on what might be happening. I love diversion I’m just noticing that something isn’t working correctly. At least for me.

I don't supposed you added microsoft.com to the diversion whitelist, did you? That might solve this issue on a case-by-case basis?

 

[ComputerSteve]

I don't supposed you added microsoft.com to the diversion whitelist, did you? That might solve this issue on a case-by-case basis?

But why do I need to do that? I don't need to do that when I have Type 65 blocking disabled. Meaning now I would need a white list for just type 65 blocking lol.

 

[SomeWhereOverTheRainBow]

So i'm a novice really at this.. Where exactly do I run this command? When I login to ssh on mac terminal then paste this iptables -a OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns ... Nothing happens.

So give it a try, disable your type65 option in diversion, and input these rules

##ipv4
iptables -I OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns 
##ipv6
ip6tables -I OUTPUT_DNS -m string --hex-string "|0000410001|" --algo bm --to 65535 --icase -j logdrop_dns

Into the plain ssh terminal. From here switch to your test platform of choice to see if the rules are working properly. If they are let us know and we will move on to the next step of placing the rules in a more permanent place such as firewall start.

 

[ComputerSteve]

but when I enter that command it just looks like nothing happened meaning I get no output in the ssh shell it just goes to a new line /tmp/home/root#

 

[SomeWhereOverTheRainBow]

but when I enter that command it just looks like nothing happened meaning I get no output in the ssh shell it just goes to a new line /tmp/home/root#

That is normal. You would see no output if the rule worked.

What is the output of

iptables-save

If you see the rule in that output list, then it took the rule.