What's new

Cloudflare 1.1.1.1 for Families

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@RMerlin Can we get this added to the Code for the Dropdowns.

I took a look but I am not versed enough with the code to do a PR
I did a search for the code and found a few places but I am not sure of it
https://github.com/RMerl/asuswrt-me...Browsing+Adult&unscoped_q=CleanBrowsing+Adult

I think it is just
https://github.com/RMerl/asuswrt-me...e28eda004f8/release/src/router/rc/dnsfilter.c
and
https://github.com/RMerl/asuswrt-me...59f02498/release/src/router/www/DNSFilter.asp

but the other pages I am not sure of

No, because of post #15.

After that, I'll think about it.
 
No, because of post #15.

After that, I'll think about it.


But the entries on the DNSFilter page are not DOT at all, AFAIK. I was suggesting adding those entries to those dropdowns also
 
Today, it appears that Cloudflare for Families is now returning 0.0.0.0 instead of REFUSED for blocked queries. This is better, but can lead to DNS Rebinding attack messages in syslog since 0.0.0.0 from an upstream resolver is considered a private address. So if you have any DNS Rebind protection enabled in your router, you will see empty responses instead of 0.0.0.0.

Maybe it will change again as they get more feedback.
 
I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).
Seems like the test URL is blocked now with DoT.
 
Seems like the test URL is blocked now with DoT.
Clouflare_DNS_TLS_malware_blocked.png

Code:
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 query[A] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 query[AAAA] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: possible DNS-rebind attack detected: phishing.testcategory.com
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 reply phishing.testcategory.com is ::
 
I now noticed the rebind log also:
dnsmasq[974]: possible DNS-rebind attack detected: phishing.testcategory.com

Earlier I just could go to that page.

Or are you just confirming that it is now blocked?
 
Last edited:
I now noticed the rebind log also:
dnsmasq[974]: possible DNS-rebind attack detected: phishing.testcategory.com

Earlier I just could go tho that page.

Or are you just confirming that it is now blocked?
I am just confirming that it is now blocked. At first I was not sure what your post meant but figured it out and posted excerpts which make it obvious what you meant.

On the one hand it may not be ideal to resolve to 0.0.0.0 or :: and cause the DNS rebind protection warning. On the other hand, it provides for an easy way to determine blocks that are Cloudflare as opposed to blocks that are Diversion or Skynet. I am going to leave DNS rebind protection enabled for now.
 
I am suprised that Cloudflare for Families malware filter has blocked the following:
Code:
gearssdk.opswat.com
7nq-0.12-93000449.0.1770.2597.2f4a.210.0.64hsffc9epq8diegm98tzikt5t.avqs.mcafee.com
Both appear to be related to security software for work. One is for BYOD and the other for a laptop. Maybe you could argue that this traffic should only flow through to a workplace VPN and not directly to my ISP for privacy reasons. If software is going to send information about your device to some company, then by default block it and require whitelisting.
 
I am suprised that Cloudflare for Families malware filter has blocked the following:
Code:
gearssdk.opswat.com
7nq-0.12-93000449.0.1770.2597.2f4a.210.0.64hsffc9epq8diegm98tzikt5t.avqs.mcafee.com
Both appear to be related to security software for work. One is for BYOD and the other for a laptop. Maybe you could argue that this traffic should only flow through to a workplace VPN and not directly to my ISP for privacy reasons. If software is going to send information about your device to some company, then by default block it and require whitelisting.
It returns an IP in the 127.0.0.0/8 space, so it's considered a rebind attack, regardless of which upstream DNS you are using (not specific to Cloudflare for Families). You can whitelist it with:
Code:
rebind-domain-ok=/avqs.mcafee.com/
 
With so many DNS-based blocking services now available, the question has to be asked:

how do they compare in terms of:

- Number of sites blocked
- How long it takes them to add more sites to their blocklists
- Accuracy of their blocklists

At some point, these services will need to be reviewed the same way antivirus products are being reviewed, by testing a bunch of zero-days malicious (or adult) sites, looking for false positives or missed cases.

Any quarantined security specialist want to get on it? :)


Stumbled upon this:

https://www.skadligkod.se/general-security/phishing/malicious-site-filters-on-dns-in-2020/
 
I am going to stay with QUAD9 for DNS. IBM has much better resources to put behind QUAD9 than Cloudflare.

Actually in this case, it's the opposite. Since Cloudflare already handles a large portion of the Internet's traffic (they already deal with providing protection to a LOT of websites), it means they are in a better position to see emerging trends in malicious traffic, and update their database accordingly.

Same reason why I have more faith in a security suite coming from Eset than from Microsoft. It's not a matter of resource, but rather of expertise.
 
I don't agree. I think IBM is much smarter than Cloudfare and can do a better job. But hey I run Cisco you run ASUS.
 
I don't agree. I think IBM is much smarter than Cloudfare and can do a better job. But hey I run Cisco you run ASUS.

Cisco owns OpenDNS. See what good that's doing for them.
 
Cisco runs the world ASUS is a small home project.

What does this have to do with the filtering DNS discussion this thread is about? Or is it just an attempt at attacking my credibility just because of my hardware decisions?
 
Over at malwaretips the DNS provider that has the most consistent malicious filtering in user testing has been cleanbrowsing. Though a lot of them are inconsistent.

This post had a larger sample set.
https://malwaretips.com/threads/upd...ison-malwares-and-phishings.80915/post-834399

A more recent trial showed mixed results for any dns but includes 1.1.1.2.
https://malwaretips.com/threads/upd...ison-malwares-and-phishings.80915/post-870656

Test results vary greatly between different reviews, which makes me wonder about the methodology used. I saw one test where Quad9 scored perfectly, and another where it scored in the lower tier.

We need testing done by professionals to have a clearer picture. A test done against only a dozen of malicious website does not constitute a large enough sample to provide meaningful results for instance.
 
Test results vary greatly between different reviews, which makes me wonder about the methodology used. I saw one test where Quad9 scored perfectly, and another where it scored in the lower tier.

We need testing done by professionals to have a clearer picture. A test done against only a dozen of malicious website does not constitute a large enough sample to provide meaningful results for instance.
I would agree. This is end user testing with small sample sizes. However the only service which I have seen consistently perform above average over multiple small tests has been cleanbrowsing. I don’t personally use cleanbrowsing, just an observation. Time will tell with cloudflare’s offering, which is intriguing. I rely more on router/endpoint/browser filtering, which is generally reliable enough, DNS is an added layer.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top