1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Cloudflare 1.1.1.1 for Families

Discussion in 'General Network Security' started by dave14305, Apr 1, 2020.

  1. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,968
    Location:
    USA
    Last edited: Apr 1, 2020
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    12,617
    Not unless we can use it with Unbound? :)
     
  3. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,968
    Location:
    USA
    Interesting that it returns REFUSED instead of NXDOMAIN for blocked names.
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,022
    Location:
    Canada
    REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.
     
  5. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,968
    Location:
    USA
    Maybe so. 2 queries for 54199.
    Code:
    Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
    Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
    Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
    Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
    Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
    Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
    Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
    Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
    Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
    Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,022
    Location:
    Canada
    That might just indicate that the response wasn't cached (I don't think REFUSED gets cached, as opposed to a NXDOMAIN which is considered a valid response, and does get typically a 15 mins TTL).
     
  7. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    891
    Kingp1n, Ubimo and jsbeddow like this.
  8. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    1,480
    I don't understand this question. Unbound is a resolver.
    In case it is used as forwarder, any external DNS resolver should work the way it works with any other forwarder.
     
  9. roscoe211

    roscoe211 Occasional Visitor

    Joined:
    Dec 30, 2016
    Messages:
    20
    Cool. Thanks. I just switched over to 1.1.1.2 for my DoT server.
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,022
    Location:
    Canada
    Every year, Cloudflare got into the habit of announcing new, real services on April 1st.

    And with the current world situation, any April 1st prank would be considered to be of poor taste.
     
    Quoc Huynh, L&LD and jsbeddow like this.
  11. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    891
    I’m suspicious of pretty much EVERYTHING I read in the past decade or so, because of the internet.


    Sent from my iPhone using Tapatalk
     
  12. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,286
    Location:
    United States
    According to the Q's following the blog entry, DoT isn't ready yet.

    Code:
    Will you be providing DNS over TLS for these services like you do with 1.1.1.1 e.g. 1dot1dot1dot2.cloudflare-dn... and 1dot1dot1dot3.cloudflare-dn...
    Reply
    Mohd Irtefa  danhorst • 7 hours ago
    Yes. Our team is working on it and we will share the update with our community when DoT for 1.1.1.2 and 1.1.1.3 are available.
     
    Last edited: Apr 2, 2020
  13. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    1,142
    Location:
    Pennsylvania USA
    Well, DoT to 1.1.1.2, 1.0.0.2 works. Good switch after Quad9 crapped out overnight.
     
    Quoc Huynh likes this.
  14. ^Tripper^

    ^Tripper^ Senior Member

    Joined:
    Aug 16, 2014
    Messages:
    217
    Location:
    Disneyland with the death penalty
    Glad to finally see this option with CF.
     
  15. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    2,968
    Location:
    USA
    I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).
     
    Quoc Huynh and jsbeddow like this.
  16. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    14,403
    It's not an AF joke. Note the follow on posts in the CF blog.
     
  17. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    1,142
    Location:
    Pennsylvania USA
    Yup, 1.1.1.2/1.0.0.2 does block the malware with DoT turned off. Will run without DoT for a while I guess.
     
    jsbeddow likes this.
  18. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    479
    Did a test with DoH (Skynet & Diversion disabled during test)
    Apr 2 17:14:14 dnscrypt-proxy[25044]: [cloudflare-security] OK (DoH) - rtt: 14ms
    Successfully blocks: http://phishing.testcategory.com/
     
    Quoc Huynh likes this.
  19. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,022
    Location:
    Canada
    With so many DNS-based blocking services now available, the question has to be asked:

    how do they compare in terms of:

    - Number of sites blocked
    - How long it takes them to add more sites to their blocklists
    - Accuracy of their blocklists

    At some point, these services will need to be reviewed the same way antivirus products are being reviewed, by testing a bunch of zero-days malicious (or adult) sites, looking for false positives or missed cases.

    Any quarantined security specialist want to get on it? :)
     
  20. peepsnet

    peepsnet Regular Contributor

    Joined:
    Jul 16, 2019
    Messages:
    114
    @RMerlin Can we get this added to the Code for the Dropdowns.

    I took a look but I am not versed enough with the code to do a PR
    I did a search for the code and found a few places but I am not sure of it
    https://github.com/RMerl/asuswrt-me...Browsing+Adult&unscoped_q=CleanBrowsing+Adult

    I think it is just
    https://github.com/RMerl/asuswrt-me...e28eda004f8/release/src/router/rc/dnsfilter.c
    and
    https://github.com/RMerl/asuswrt-me...59f02498/release/src/router/www/DNSFilter.asp

    but the other pages I am not sure of
     
    Quoc Huynh likes this.