Cloudflare 1.1.1.1 for Families

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dave14305

Part of the Furniture
Last edited:

L&LD

Part of the Furniture
Not unless we can use it with Unbound? :)
 

dave14305

Part of the Furniture
Interesting that it returns REFUSED instead of NXDOMAIN for blocked names.
 

RMerlin

Asuswrt-Merlin dev
Interesting that it returns REFUSED instead of NXDOMAIN for blocked names.

REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.
 

dave14305

Part of the Furniture
REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.
Maybe so. 2 queries for 54199.
Code:
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED
 

RMerlin

Asuswrt-Merlin dev
Maybe so. 2 queries for 54199.
Code:
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED

That might just indicate that the response wasn't cached (I don't think REFUSED gets cached, as opposed to a NXDOMAIN which is considered a valid response, and does get typically a 15 mins TTL).
 

Val D.

Very Senior Member
Not unless we can use it with Unbound? :)

I don't understand this question. Unbound is a resolver.
In case it is used as forwarder, any external DNS resolver should work the way it works with any other forwarder.
 

RMerlin

Asuswrt-Merlin dev

heysoundude

Very Senior Member
I’m suspicious of pretty much EVERYTHING I read in the past decade or so, because of the internet.


Sent from my iPhone using Tapatalk
 

john9527

Part of the Furniture
Cool. Thanks. I just switched over to 1.1.1.2 for my DoT server.

According to the Q's following the blog entry, DoT isn't ready yet.

Code:
Will you be providing DNS over TLS for these services like you do with 1.1.1.1 e.g. 1dot1dot1dot2.cloudflare-dn... and 1dot1dot1dot3.cloudflare-dn...
Reply
Mohd Irtefa  danhorst • 7 hours ago
Yes. Our team is working on it and we will share the update with our community when DoT for 1.1.1.2 and 1.1.1.3 are available.
 
Last edited:

bbunge

Part of the Furniture
Well, DoT to 1.1.1.2, 1.0.0.2 works. Good switch after Quad9 crapped out overnight.
 

dave14305

Part of the Furniture
Well, DoT to 1.1.1.2, 1.0.0.2 works. Good switch after Quad9 crapped out overnight.
I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).
 

thiggins

Mr. Easy
Staff member
It's not an AF joke. Note the follow on posts in the CF blog.
 

bbunge

Part of the Furniture
I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).
Yup, 1.1.1.2/1.0.0.2 does block the malware with DoT turned off. Will run without DoT for a while I guess.
 

Zastoff

Very Senior Member
Did a test with DoH (Skynet & Diversion disabled during test)
Apr 2 17:14:14 dnscrypt-proxy[25044]: [cloudflare-security] OK (DoH) - rtt: 14ms
Successfully blocks: http://phishing.testcategory.com/
 

RMerlin

Asuswrt-Merlin dev
With so many DNS-based blocking services now available, the question has to be asked:

how do they compare in terms of:

- Number of sites blocked
- How long it takes them to add more sites to their blocklists
- Accuracy of their blocklists

At some point, these services will need to be reviewed the same way antivirus products are being reviewed, by testing a bunch of zero-days malicious (or adult) sites, looking for false positives or missed cases.

Any quarantined security specialist want to get on it? :)
 

peepsnet

Regular Contributor
@RMerlin Can we get this added to the Code for the Dropdowns.

I took a look but I am not versed enough with the code to do a PR
I did a search for the code and found a few places but I am not sure of it
https://github.com/RMerl/asuswrt-me...Browsing+Adult&unscoped_q=CleanBrowsing+Adult

I think it is just
https://github.com/RMerl/asuswrt-me...e28eda004f8/release/src/router/rc/dnsfilter.c
and
https://github.com/RMerl/asuswrt-me...59f02498/release/src/router/www/DNSFilter.asp

but the other pages I am not sure of
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top