Cloudflare 1.1.1.1 for Families

[Treadler]

View attachment 23604

May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 query[A] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 query[AAAA] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: possible DNS-rebind attack detected: phishing.testcategory.com
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 reply phishing.testcategory.com is ::

Hmmm, so 1.1.1.2 is working with DoT now?

 

[jeff3820]

Yes, has been for quite a while

 

[EmeraldDeer]

Hmmm, so 1.1.1.2 is working with DoT now?

It is hard to say for sure. There had been a non-TLS official announcement of 1.1.1.1 for Families. A TLS implementation was acknowledged in the comments as something Cloudflare is working on. The family .3 and malware only .2 DNS over TLS addresses had been responding with non-filtered DNS.

At some point someone in the forums noticed that the test phishing domain was returning 0.0.0.0 suggesting that filtering had begun.

I have switched from Cloudflare to Quad9 due to recent malware filtering test results.

 

[Mister2088]

Hi Folks.
I know this thread is a bit old but it is the only one that seems to make sense for my question.
I am on merlin 386.4 using cloudflare 1.1.1.2 via DOT. It and Merlin release rocks!
However, I do notice several times per day : possible DNS-rebind attack detected: logs.ironsrc.mobi
I know there is probably no harm. I searched the web and cannot find any info on this. Has anyone seen this or know what it is? If so, should I block the domain in dnsmasq or just ignore?
Thank-you in advance

 

[sfx2000]

However, I do notice several times per day : possible DNS-rebind attack detected: logs.ironsrc.mobi
I know there is probably no harm. I searched the web and cannot find any info on this. Has anyone seen this or know what it is? If so, should I block the domain in dnsmasq or just ignore?

DNSmasq has your back...

1.1.1.2 returns 0.0.0.0

$ dig @1.1.1.2 logs.ironsrc.mobi

; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.2 logs.ironsrc.mobi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27390
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;logs.ironsrc.mobi.        IN    A

;; ANSWER SECTION:
logs.ironsrc.mobi.    60    IN    A    0.0.0.0

;; Query time: 20 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Tue Jan 25 19:41:52 PST 2022
;; MSG SIZE  rcvd: 62

1.1.1.1 returns a valid IP

$ dig @1.1.1.1 logs.ironsrc.mobi

; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.1 logs.ironsrc.mobi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38875
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;logs.ironsrc.mobi.        IN    A

;; ANSWER SECTION:
logs.ironsrc.mobi.    0    IN    A    13.225.138.9
logs.ironsrc.mobi.    0    IN    A    13.225.138.95
logs.ironsrc.mobi.    0    IN    A    13.225.138.24
logs.ironsrc.mobi.    0    IN    A    13.225.138.58

;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jan 25 19:44:04 PST 2022
;; MSG SIZE  rcvd: 110