What's new

Cloudflare 1.1.1.1 for Families

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dave14305

Part of the Furniture
Last edited:
Not unless we can use it with Unbound? :)
 
Interesting that it returns REFUSED instead of NXDOMAIN for blocked names.

REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.
 
REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.
Maybe so. 2 queries for 54199.
Code:
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED
 
Maybe so. 2 queries for 54199.
Code:
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED

That might just indicate that the response wasn't cached (I don't think REFUSED gets cached, as opposed to a NXDOMAIN which is considered a valid response, and does get typically a 15 mins TTL).
 
Not unless we can use it with Unbound? :)

I don't understand this question. Unbound is a resolver.
In case it is used as forwarder, any external DNS resolver should work the way it works with any other forwarder.
 
I’m suspicious of pretty much EVERYTHING I read in the past decade or so, because of the internet.


Sent from my iPhone using Tapatalk
 
Cool. Thanks. I just switched over to 1.1.1.2 for my DoT server.

According to the Q's following the blog entry, DoT isn't ready yet.

Code:
Will you be providing DNS over TLS for these services like you do with 1.1.1.1 e.g. 1dot1dot1dot2.cloudflare-dn... and 1dot1dot1dot3.cloudflare-dn...
Reply
Mohd Irtefa  danhorst • 7 hours ago
Yes. Our team is working on it and we will share the update with our community when DoT for 1.1.1.2 and 1.1.1.3 are available.
 
Last edited:
Well, DoT to 1.1.1.2, 1.0.0.2 works. Good switch after Quad9 crapped out overnight.
 
It's not an AF joke. Note the follow on posts in the CF blog.
 
I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).
Yup, 1.1.1.2/1.0.0.2 does block the malware with DoT turned off. Will run without DoT for a while I guess.
 
Did a test with DoH (Skynet & Diversion disabled during test)
Apr 2 17:14:14 dnscrypt-proxy[25044]: [cloudflare-security] OK (DoH) - rtt: 14ms
Successfully blocks: http://phishing.testcategory.com/
 
With so many DNS-based blocking services now available, the question has to be asked:

how do they compare in terms of:

- Number of sites blocked
- How long it takes them to add more sites to their blocklists
- Accuracy of their blocklists

At some point, these services will need to be reviewed the same way antivirus products are being reviewed, by testing a bunch of zero-days malicious (or adult) sites, looking for false positives or missed cases.

Any quarantined security specialist want to get on it? :)
 
@RMerlin Can we get this added to the Code for the Dropdowns.

I took a look but I am not versed enough with the code to do a PR
I did a search for the code and found a few places but I am not sure of it
https://github.com/RMerl/asuswrt-me...Browsing+Adult&unscoped_q=CleanBrowsing+Adult

I think it is just
https://github.com/RMerl/asuswrt-me...e28eda004f8/release/src/router/rc/dnsfilter.c
and
https://github.com/RMerl/asuswrt-me...59f02498/release/src/router/www/DNSFilter.asp

but the other pages I am not sure of
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top