I figured that must be the case. But I was just clarifying that it is not the WAN itself IP being blocked here for EmeraldDeer confusion. JK. Actually for my own confusion at what EmeraldDeer's post was about.
Do you think the OP could be running something like DNSCRYPT-Proxy or AdGuardHome on their router to access Cloudflare over DoH?
I don't see Cloudflare DNS or NTP services using content distribution servers.
hmmm, I wonder if OP is running their own cloudflare DDNS updates (or if their ddns service provider uses cloudflare)? could that be the cause?
Output is
188.114.96.0/20 comment "CDN-Whitelist: CloudFlare"[13] --> CDN Whitelisting | [Enabled]Warning: 188.114.96.0 is in set Skynet-Whitelist.
188.114.96.0 is NOT in set Skynet-Blacklist.
188.114.96.0 is NOT in set Skynet-BlockedRanges.
Whitelist Reason;
188.114.96.0/20 "CDN-Whitelist: CloudFlare"
Associated Domain(s);
sda.fyi
asn.ipinfo.app
lindasbakskola.se
[i] IP Location - Canada (CLOUDFLARENET / AS13335)
[i] 188.114.96.0 First Tracked On May 22 23:06:12
[i] 188.114.96.0 Last Tracked On May 25 14:26:34
[i] 184 Blocks TotalCould it be getting blocked by some other means and skynet is capturing the drop? Just random question.
It would be nice if we could figure out more information, for all we know the ip that is being blocked could reside outside the range of ips for that specific subnet of /20 and we cannot tell that. This is definitely starting to sound more like a malware with these types of behaviors...
Is it possible to run wireshark on the router itself, or do you mean on my workstation?
You can tcpdump some of the packets on the router to a .pcap file. Move the .pcap file to a workstation with winscp, and then inspect the .pcap file from a workstation using Wireshark.
No, the log message is using Skynet’s custom prefix, so it must have been in the blocklist at one point AND missing from the whitelist.
This name is used within Skynet to lookup and download ASN info. So no harm, no foul.
Makes sense. Is there any point this list would not be loaded during skynets startup or update processes? I looked at the code and I didn't see any places, but I could be wrong. Skynet is a pretty lengthy script. If such a grey area exists inside the script, then retrieval of any whitelistings could fall prey to a blocklist entry.
Well, you wrote the modifications to the curl commands that download the Cloudflare list, among others. Was it an improvement?
Definitely an improvement, but I am trying to figure how the IP ended up in the blocklist. That is why I asked if you noticed any where in the script where the whitelist might not have been applied before blocklisting has already started. If such a grey area exists inside the script, then retrieval of any whitelistings could fall prey to a blocklist entry.
FYI, the IP must vary geographically for that domain
RT-AX88U_Pro-29B8:/tmp/home/root# nslookup asn.ipinfo.app 2>/dev/null | awk '/^Address[[:space:]][0-9]*\:[[:space:]]/{if($3 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/ && NR > 2)print $3}'
104.21.73.151
172.67.190.83; and, if it is skynet blocking itself by some glitch in its own loading logic or order of commands, then
Great efficacy.
The only place I can see a flaw is right at this spot...
asn.ipinfo.app in their geographical region. Whitelist_Extra
Whitelist_CDN
Whitelist_VPN
sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
Whitelist_Shared
