jpgpi250
commented
1 year ago the IP (84.17.46.54) matches the following entries: domain | urllist_id | doh1.b-cdn.net|3 doh1.b-cdn.net|7 doh1.b-cdn.net|11 doh1.b-cdn.net|12 doh1.b-cdn.net|13 doh1.b-cdn.net|15 doh1.b-cdn.net|19 doh1.b-cdn.net|20 doh1.b-cdn.net|21
and
domain | urllist_id | doh1.blahdns.com|3 doh1.blahdns.com|13 doh1.blahdns.com|15 doh1.blahdns.com|20
the IP (84.17.46.53) matches the following entries: domain | urllist_id | doh2.b-cdn.net|3 doh2.b-cdn.net|13 doh2.b-cdn.net|15 doh2.b-cdn.net|20
and
domain | urllist_id | doh2.blahdns.com|3 doh2.blahdns.com|13 doh2.blahdns.com|15 doh2.blahdns.com|20
list IDs 3 | https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt 7 | https://raw.githubusercontent.com/wiki/curl/curl/DNS-over-HTTPS.md 11 | https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt 12 | https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt 13 | https://raw.githubusercontent.com/crypt0rr/public-doh-servers/main/dns.list 15 | https://raw.githubusercontent.com/jbaggs/doh-intel/master/doh.intel 19 | https://raw.githubusercontent.com/unwrapsodding/DOH_Servers/main/hosts 20 | https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/doh.txt 21 | https://raw.githubusercontent.com/beamrod/doh_hostlist/main/host_list.txt
by visiting , for example the URL https://api.bgpview.io/ip/84.17.46.54 you will notice this address is part of a CIDR (name:"CDN77"). You'll need to make an exception for the entire range 84.17.46.0/23
As explained in the manual, it is recommended to assign the exceptions only to the devices that need to be able to visit this site, thus excluding for example IOT devices. Unfortunately, since hosting companies use CIDR to host several websites and services, and the IP address of the websites and services regularly change, the use of network exceptions for specific devices is unavoidable.
This is explained in section 10 (CIDR (network) Exceptions) of the manual.
Note that I only consolidate lists (see the manual for the list of lists). Once a domain is in a list, the domain and associated IPs will be added to the block list(s). Adding Exceptions is the responsibility of firewall administrator.
I strongly advise to implement RPZ blocking when whitelisting CIDRs
Bunny CDN is in there, causing some issues on my network that took me a while to figure out ;)
84.17.46.54 84.17.46.53
The entire CIDR 84.17.46.0/23 should be removed, as well as 2400:52e0:1e01::/48
Checking whois information on the subnet you'll easily spot that this belongs to a CDN.