DoT/Diversion/Skynet and Restrictions

[SuperDuke]

Hello all,

My better half just recently had an issue connecting to one of her recipes sites (copymethat) and that sent me on a goose chase to try and find out why she was being restricted.

I whitelisted in Diversion and processed the addition (for Skynet linking) and still nothing. Now by chance and fluke I had my laptop connected to VPN and tried to connect and low and behold I could, which then made me wonder what, within my normal connection setup, is causing said issue.

Now some time ago I also had Apple iGadget update issues (specific to one device)..issues that I couldn't solve. So for giggles, I connected to VPN on the iPad and voila immediate connection to System Update rather than timing out like before.

So for those far more intelligent and educated than I, any ideas as to what may be causing this and what I can try? My general setup is rather vanilla with the Merlin/Diversion/Skynet scripts but nothing else. I did try previously at disabling pixelserv and it didn't seem to address the issue.

Thanks in advance....

edit// Firefox will not load site with pixelserv disabled and claims that site is unencrypted.....

 

[Treadler]

Hello all,

My better half just recently had an issue connecting to one of her recipes sites (copymethat) and that sent me on a goose chase to try and find out why she was being restricted.

I whitelisted in Diversion and processed the addition (for Skynet linking) and still nothing. Now by chance and fluke I had my laptop connected to VPN and tried to connect and low and behold I could, which then made me wonder what, within my normal connection setup, is causing said issue.

Now some time ago I also had Apple iGadget update issues (specific to one device)..issues that I couldn't solve. So for giggles, I connected to VPN on the iPad and voila immediate connection to System Update rather than timing out like before.

So for those far more intelligent and educated than I, any ideas as to what may be causing this and what I can try? My general setup is rather vanilla with the Merlin/Diversion/Skynet scripts but nothing else. I did try previously at disabling pixelserv and it didn't seem to address the issue.

Thanks in advance....

edit// Firefox will not load site with pixelserv disabled and claims that site is unencrypted.....

EDIT: copymethat.com is blocked by the Diversion large list.

 

[dave14305]

It’s possible you WAN IP is being blacklisted by Cloudflare since that site resolves to the Cloudflare ASN and is therefore whitelisted in Skynet.

Do you have any indicators that SkyNet or Diversion are blocking anything to that site? Or AIProtect? It loads for me using SkyNet and Diversion Standard list.

 

[SuperDuke]

It’s possible you WAN IP is being blacklisted by Cloudflare since that site resolves to the Cloudflare ASN and is therefore whitelisted in Skynet.

Do you have any indicators that SkyNet or Diversion are blocking anything to that site? Or AIProtect? It loads for me using SkyNet and Diversion Standard list.

Thanks Dave (and Treadler). I did whitelist copymethat in Diversion but the issue persisted.

It doesn't appear to me that Skynet or Diversion are blocking but I may disable temporarily to see.....I did just that when I was trying to debug my System Update issue but it didn't work. Clearly there is something with the standard setup which is obviously bypassed by VPN usage.

I'm intrigued by the Cloudflare blacklisting option......what would that look like?

(AiProtect isn't likely an issue since this issue was present before and I have just recently re-implemented AiProt due to memory leakage)

 

[Smokey613]

I had to give up on Diversion to keep my wife happy. I may try to put her iPhone and laptop on a VLAN or the guest network. Does Diversion also affect the guest network?

 

[Val D.]

I may try to put her iPhone and laptop on a VLAN or the guest network.

Put her devices in DNSFilter, assign different DNS.

 

[Adamm]

Thanks Dave (and Treadler). I did whitelist copymethat in Diversion but the issue persisted.

Make sure you are whitelisting the www and non-www versions of the domain. FWIW both Diversion and Skynet have log filtering features so you can see whats being blocked for cases just like this.

 

[Smokey613]

Put her devices in DNSFilter, assign different DNS.

I forgot about that feature, thanks!

 

[SuperDuke]

Thanks all.....The DNSFilter option certainly worked (akin to the VPN I would think).....but to @Adamm and his whitelisting, I added the www. domain in addition to the stock non www. and it seems to have taken.

I'm still at a loss as to why the Ipad updating wouldn't take and what domain is being blocked on that.....

@Adamm, is it the debugging option in Skynet for blocklisting check? I did try that and it didn't seem to show anything....

Either way, thanks again to all for the help....

 

[kernol]

Thanks all.....The DNSFilter option certainly worked (akin to the VPN I would think).....but to @Adamm and his whitelisting, I added the www. domain in addition to the stock non www. and it seems to have taken.

I'm still at a loss as to why the Ipad updating wouldn't take and what domain is being blocked on that.....

@Adamm, is it the debugging option in Skynet for blocklisting check? I did try that and it didn't seem to show anything....

Either way, thanks again to all for the help....

I has precisely the same problem with iPad access to Apple Account for updating and Store own Account access. I switched from Cloudflare DNS to Quad9 DNS for the WAN prescribed DNS [using DoT] and viola - normal access to Apple stuff. Changed nothing else!

Too much of a noob to understand why - but @dave14305 has probably hit the button in his earlier post [your WAN ip in some external blocking list which Cloudflare itself polices but Quad9 doesn't].

 

[SuperDuke]

I has precisely the same problem with iPad access to Apple Account for updating and Store own Account access. I switched from Cloudflare DNS to Quad9 DNS for the WAN prescribed DNS [using DoT] and viola - normal access to Apple stuff. Changed nothing else!

Too much of a noob to understand why - but @dave14305 has probably hit the button in his earlier post [your WAN ip in some external blocking list which Cloudflare itself polices but Quad9 doesn't].

Most interesting! Thanks for this, I thought i was losing my mind!

 

[kernol]

Most interesting! Thanks for this, I thought i was losing my mind!

As a further matter of interest - using Quad9 DNS [DoT] also gave me a far better score than Cloudflare under this DNSSEC test link ... https://rootcanary.org/test.html My result below ...

NB- DNSSEC automatically enabled in Stubby provided by MerlinWare 384.14 and not enabled in webgui WAN settings for DNS .

 

[Centrifuge]

I switched from Cloudflare DNS to Quad9 DNS for the WAN prescribed DNS [using DoT]

Same, worked for me also.

 

[davidlee93]

As a further matter of interest - using Quad9 DNS [DoT] also gave me a far better score than Cloudflare under this DNSSEC test link ... https://rootcanary.org/test.html My result below ...

View attachment 20507
NB- DNSSEC automatically enabled in Stubby provided by MerlinWare 384.14 and not enabled in webgui WAN settings for DNS .

The "RSA-MD5" column should always return servfail, as per the standards.

 

[Gar]

As a further matter of interest - using Quad9 DNS [DoT] also gave me a far better score than Cloudflare under this DNSSEC test link ... https://rootcanary.org/test.html My result below ...

View attachment 20507
NB- DNSSEC automatically enabled in Stubby provided by MerlinWare 384.14 and not enabled in webgui WAN settings for DNS .

Quad9 enabled ECS a few months back and my results are even better now, not that I understand it all. 9.9.9.11