What's new

Cloudflare 1.1.1.1 for Families

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

View attachment 23604
Code:
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 query[A] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160888 IPv6_address/50115 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 query[AAAA] phishing.testcategory.com from IPv6_address
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 forwarded phishing.testcategory.com to 127.0.1.1
May 20 08:08:07 dnsmasq[30469]: possible DNS-rebind attack detected: phishing.testcategory.com
May 20 08:08:07 dnsmasq[30469]: 160889 IPv6_address/60610 reply phishing.testcategory.com is ::

Hmmm, so 1.1.1.2 is working with DoT now?
 
Hmmm, so 1.1.1.2 is working with DoT now?
It is hard to say for sure. There had been a non-TLS official announcement of 1.1.1.1 for Families. A TLS implementation was acknowledged in the comments as something Cloudflare is working on. The family .3 and malware only .2 DNS over TLS addresses had been responding with non-filtered DNS.

At some point someone in the forums noticed that the test phishing domain was returning 0.0.0.0 suggesting that filtering had begun.

I have switched from Cloudflare to Quad9 due to recent malware filtering test results.
 
Hi Folks.
I know this thread is a bit old but it is the only one that seems to make sense for my question.
I am on merlin 386.4 using cloudflare 1.1.1.2 via DOT. It and Merlin release rocks!
However, I do notice several times per day : possible DNS-rebind attack detected: logs.ironsrc.mobi
I know there is probably no harm. I searched the web and cannot find any info on this. Has anyone seen this or know what it is? If so, should I block the domain in dnsmasq or just ignore?
Thank-you in advance
 
However, I do notice several times per day : possible DNS-rebind attack detected: logs.ironsrc.mobi
I know there is probably no harm. I searched the web and cannot find any info on this. Has anyone seen this or know what it is? If so, should I block the domain in dnsmasq or just ignore?

DNSmasq has your back...

1.1.1.2 returns 0.0.0.0

Code:
$ dig @1.1.1.2 logs.ironsrc.mobi

; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.2 logs.ironsrc.mobi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27390
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;logs.ironsrc.mobi.        IN    A

;; ANSWER SECTION:
logs.ironsrc.mobi.    60    IN    A    0.0.0.0

;; Query time: 20 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Tue Jan 25 19:41:52 PST 2022
;; MSG SIZE  rcvd: 62

1.1.1.1 returns a valid IP

Code:
$ dig @1.1.1.1 logs.ironsrc.mobi

; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.1 logs.ironsrc.mobi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38875
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;logs.ironsrc.mobi.        IN    A

;; ANSWER SECTION:
logs.ironsrc.mobi.    0    IN    A    13.225.138.9
logs.ironsrc.mobi.    0    IN    A    13.225.138.95
logs.ironsrc.mobi.    0    IN    A    13.225.138.24
logs.ironsrc.mobi.    0    IN    A    13.225.138.58

;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jan 25 19:44:04 PST 2022
;; MSG SIZE  rcvd: 110
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top