Skynet Skynet 7.4.5 Ban Domain Does Not Work

[ply3908]

I tried to ban canovel.com from Skynet but it does work. I can ban it from Diversion, however.

 

[SomeWhereOverTheRainBow]

I tried to ban canovel.com from Skynet but it does work. I can ban it from Diversion, however.

Because you cannot ban it in both places at the same time. If you ban it in diversion, then it sounds like skynet is unable to resolve the address for canovel.com. This is especially true if you have your router setup as local DNS cache. Try removing it from diversion, and then adding it to skynet. Other wise, diversion is already sharing it with skynet in the shared lists and you cannot ban it twice.

 

[thelonelycoder]

Because you cannot ban it in both places at the same time. If you ban it in diversion, then it sounds like skynet is unable to resolve the address for canovel.com. This is especially true if you have your router setup as local DNS cache. Try removing it from diversion, and then adding it to skynet. Other wise, diversion is already sharing it with skynet in the shared lists and you cannot ban it twice.

Only the whitelist is shared between Diversion and Skynet.

 

[SomeWhereOverTheRainBow]

Only the whitelist is shared between Diversion and Skynet.

So then it sounds like the user has "local caching resolver" enabled. Which means Diversion is blocking skynets attempt to locally resolve the IP address of canovel.com. In this scenario, the user needs to choose where they wish to block at. If canovel.com is creating a firewall level concern, then block there instead of diversion. If you are concerned about not wanting to be able to resolve canovel.com, then block with diversion.

This type of behavior can be changed if @Adamm decides to add a specific upstream resolver to use for the nslookup function skynet uses.

https://github.com/Adamm00/IPSet_ASUS/blob/master/firewall.sh#L633-L635

Or if the user turns off local caching resolver.

Otherwise, nslookup will use the dns services the router uses for its local lookups (which in this users case appears to be Diversion (a.k.a DNSMASQ), instead of going through WAN DNS first).

Edit: Upon further investigation of the domain, it turns out is is apart of CDNWhitelisting!

 

[ply3908]

I did not ban on both Skynet and Diversion. I just tested to see what works. I just tried some popular sites like nytimes.com. I can ban it from the router's firewall (AC68u 386.11 FW), or from Diversion but cannot ban it from Skynet. Can someone test it on your own router?

 

[SomeWhereOverTheRainBow]

I did not ban on both Skynet and Diversion. I just tested to see what works. I just tried some popular sites like nytimes.com. I can ban it from the router's firewall (AC68u 386.11 FW), or from Diversion but cannot ban it from Skynet. Can someone test it on your own router?

can you please confirm that you have "Wan: Use local caching DNS server as system resolver" set to no please, like the image below demonstrates.

And then try doing what you are doing?

 

[ply3908]

can you please confirm that you have "Wan: Use local caching DNS server as system resolver" set to no please, like the image below demonstrates.
View attachment 51636
And then try doing what you are doing?

Which page is the setting located please? I can't find the setting under the WAN -> Internet Connection page. Thanks.

 

[ply3908]

I found it now. It's under Tools -> Other Settings. It was set "no" the whole time. I did not change it.

 

[SomeWhereOverTheRainBow]

I found it now. It's under Tools -> Other Settings. It was set "no" the whole time. I did not change it.

View attachment 51638

What is your wan DNS 1 and wan DNS 2 set to? And can you also please share a screenshot of your skynet menu?

 

[SomeWhereOverTheRainBow]

@ply3908

The official verdict is in, it is because the IP addresses for that domain are apart of Cloudflared CDNwhitelisting.

You can completely turn this setting off if you choose to, but know that it will break access to alot of CDN. This shows that @Adamm 's script is working properly!

The fact that you can block the domain in diversion, but not in skynet is irrelevant to the twos combined functionality features and just happens to be coincident since skynet has CDNWhitelisting feature enabled by default. CDN stands for Content Delivery Networks. While canovel.com is just one domain that utilizes these CDN IP addresses, other services may also share these same IP addresses which may break your future access to Content Delivery Networks simply for blocking this one domain at the firewall.

 

[ply3908]

@SomeWhereOverTheRainBow

Thank so much for helping.

I am using the DNS from my ISP (Comcast).
I tried Google's before. It did not work either.

Skynet not able to ban many different domain nytimes.com, espn.com, etc. I can block them from the router URL Filter or Diversion black list.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow

Thank so much for helping.

I am using the DNS from my ISP (Comcast).
I tried Google's before. It did not work either.

Skynet not able to ban many different domain nytimes.com, espn.com, etc. I can block them from the router URL Filter or Diversion black list.

So, just block 'em with diversion then. You don't really want to mess with the CDNwhitelisting feature of skynet because it will break other things as well that you may consider important if you turn it off.