Menu
What's new
By:
Filters Better Search

Cloudflare 1.1.1.1 for Families

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

peepsnet said:
@RMerlin Can we get this added to the Code for the Dropdowns.

I took a look but I am not versed enough with the code to do a PR
I did a search for the code and found a few places but I am not sure of it
https://github.com/RMerl/asuswrt-me...Browsing+Adult&unscoped_q=CleanBrowsing+Adult

I think it is just
https://github.com/RMerl/asuswrt-me...e28eda004f8/release/src/router/rc/dnsfilter.c
and
https://github.com/RMerl/asuswrt-me...59f02498/release/src/router/www/DNSFilter.asp

but the other pages I am not sure of
Click to expand...

No, because of post #15.

After that, I'll think about it.
 
RMerlin said:
No, because of post #15.

After that, I'll think about it.
Click to expand...


But the entries on the DNSFilter page are not DOT at all, AFAIK. I was suggesting adding those entries to those dropdowns also
 
Today, it appears that Cloudflare for Families is now returning 0.0.0.0 instead of REFUSED for blocked queries. This is better, but can lead to DNS Rebinding attack messages in syslog since 0.0.0.0 from an upstream resolver is considered a private address. So if you have any DNS Rebind protection enabled in your router, you will see empty responses instead of 0.0.0.0.

Maybe it will change again as they get more feedback.
 
dave14305 said:
I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).
Click to expand...
Seems like the test URL is blocked now with DoT.
 
FLA_NL said:
Seems like the test URL is blocked now with DoT.
Click to expand...
Clouflare_DNS_TLS_malware_blocked.png

Code: 
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 query[A] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 query[AAAA] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: possible DNS-rebind attack detected: phishing.testcategory.com
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 reply phishing.testcategory.com is ::
 
I now noticed the rebind log also:
dnsmasq[974]: possible DNS-rebind attack detected: phishing.testcategory.com

Earlier I just could go to that page.

Or are you just confirming that it is now blocked?
 
Last edited:
FLA_NL said:
I now noticed the rebind log also:
dnsmasq[974]: possible DNS-rebind attack detected: phishing.testcategory.com

Earlier I just could go tho that page.

Or are you just confirming that it is now blocked?
Click to expand...
I am just confirming that it is now blocked. At first I was not sure what your post meant but figured it out and posted excerpts which make it obvious what you meant.

On the one hand it may not be ideal to resolve to 0.0.0.0 or :: and cause the DNS rebind protection warning. On the other hand, it provides for an easy way to determine blocks that are Cloudflare as opposed to blocks that are Diversion or Skynet. I am going to leave DNS rebind protection enabled for now.
 
I am suprised that Cloudflare for Families malware filter has blocked the following:
Code: 
gearssdk.opswat.com
7nq-0.12-93000449.0.1770.2597.2f4a.210.0.64hsffc9epq8diegm98tzikt5t.avqs.mcafee.com
Both appear to be related to security software for work. One is for BYOD and the other for a laptop. Maybe you could argue that this traffic should only flow through to a workplace VPN and not directly to my ISP for privacy reasons. If software is going to send information about your device to some company, then by default block it and require whitelisting.
 
EmeraldDeer said:
I am suprised that Cloudflare for Families malware filter has blocked the following:
Code: 
gearssdk.opswat.com
7nq-0.12-93000449.0.1770.2597.2f4a.210.0.64hsffc9epq8diegm98tzikt5t.avqs.mcafee.com
Both appear to be related to security software for work. One is for BYOD and the other for a laptop. Maybe you could argue that this traffic should only flow through to a workplace VPN and not directly to my ISP for privacy reasons. If software is going to send information about your device to some company, then by default block it and require whitelisting.
Click to expand...
It returns an IP in the 127.0.0.0/8 space, so it's considered a rebind attack, regardless of which upstream DNS you are using (not specific to Cloudflare for Families). You can whitelist it with:
Code: 
rebind-domain-ok=/avqs.mcafee.com/
 
RMerlin said:
With so many DNS-based blocking services now available, the question has to be asked:

how do they compare in terms of:

- Number of sites blocked
- How long it takes them to add more sites to their blocklists
- Accuracy of their blocklists

At some point, these services will need to be reviewed the same way antivirus products are being reviewed, by testing a bunch of zero-days malicious (or adult) sites, looking for false positives or missed cases.

Any quarantined security specialist want to get on it? :)
Click to expand...


Stumbled upon this:

https://www.skadligkod.se/general-security/phishing/malicious-site-filters-on-dns-in-2020/
 
coxhaus said:
I am going to stay with QUAD9 for DNS. IBM has much better resources to put behind QUAD9 than Cloudflare.
Click to expand...

Actually in this case, it's the opposite. Since Cloudflare already handles a large portion of the Internet's traffic (they already deal with providing protection to a LOT of websites), it means they are in a better position to see emerging trends in malicious traffic, and update their database accordingly.

Same reason why I have more faith in a security suite coming from Eset than from Microsoft. It's not a matter of resource, but rather of expertise.
 
I don't agree. I think IBM is much smarter than Cloudfare and can do a better job. But hey I run Cisco you run ASUS.
 
coxhaus said:
I don't agree. I think IBM is much smarter than Cloudfare and can do a better job. But hey I run Cisco you run ASUS.
Click to expand...

Cisco owns OpenDNS. See what good that's doing for them.
 
coxhaus said:
Cisco runs the world ASUS is a small home project.
Click to expand...

What does this have to do with the filtering DNS discussion this thread is about? Or is it just an attempt at attacking my credibility just because of my hardware decisions?
 
Paliv said:
Over at malwaretips the DNS provider that has the most consistent malicious filtering in user testing has been cleanbrowsing. Though a lot of them are inconsistent.

This post had a larger sample set.
https://malwaretips.com/threads/upd...ison-malwares-and-phishings.80915/post-834399

A more recent trial showed mixed results for any dns but includes 1.1.1.2.
https://malwaretips.com/threads/upd...ison-malwares-and-phishings.80915/post-870656
Click to expand...

Test results vary greatly between different reviews, which makes me wonder about the methodology used. I saw one test where Quad9 scored perfectly, and another where it scored in the lower tier.

We need testing done by professionals to have a clearer picture. A test done against only a dozen of malicious website does not constitute a large enough sample to provide meaningful results for instance.
 
RMerlin said:
Test results vary greatly between different reviews, which makes me wonder about the methodology used. I saw one test where Quad9 scored perfectly, and another where it scored in the lower tier.

We need testing done by professionals to have a clearer picture. A test done against only a dozen of malicious website does not constitute a large enough sample to provide meaningful results for instance.
Click to expand...
I would agree. This is end user testing with small sample sizes. However the only service which I have seen consistently perform above average over multiple small tests has been cleanbrowsing. I don’t personally use cleanbrowsing, just an observation. Time will tell with cloudflare’s offering, which is intriguing. I rely more on router/endpoint/browser filtering, which is generally reliable enough, DNS is an added layer.
 
You must log in or register to reply here.

Similar threads

J
Add Clouflare for Families to DoT list
Replies
8
Views
2K
ringlord
ringlord
B
Adguard Home - "disable" bootstrap DNS Servers for 100% encrypted DNS via 443 / 853
Replies
14
Views
5K
breathless
B
D
Solved Work-around for Wyze Devices with issues when Router has DNS-over-TLS (DoT) Enabled
Replies
4
Views
3K
DroidST
D
SomeWhereOverTheRainBow
AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)
50 51 52
Replies
1K
Views
222K
keef
keef
Aikinai
CloudFlare Warp+ for RT-AC86U (or RT-AX88U)
Replies
8
Views
12K
Ai_
A

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 833 (members: 14, guests: 819)
Top