jpgpi250 / piholemanual

files referred to in my pihole installation manual
114 stars 14 forks source link

Please remove bunnyCDN from DoH blocklist #25

Closed jdeluyck closed 1 year ago

jdeluyck commented 1 year ago

Bunny CDN is in there, causing some issues on my network that took me a while to figure out ;)

84.17.46.54 84.17.46.53

The entire CIDR 84.17.46.0/23 should be removed, as well as 2400:52e0:1e01::/48

Checking whois information on the subnet you'll easily spot that this belongs to a CDN.

jpgpi250 commented 1 year ago

the IP (84.17.46.54) matches the following entries: domain | urllist_id | doh1.b-cdn.net|3 doh1.b-cdn.net|7 doh1.b-cdn.net|11 doh1.b-cdn.net|12 doh1.b-cdn.net|13 doh1.b-cdn.net|15 doh1.b-cdn.net|19 doh1.b-cdn.net|20 doh1.b-cdn.net|21

and

domain | urllist_id | doh1.blahdns.com|3 doh1.blahdns.com|13 doh1.blahdns.com|15 doh1.blahdns.com|20

the IP (84.17.46.53) matches the following entries: domain | urllist_id | doh2.b-cdn.net|3 doh2.b-cdn.net|13 doh2.b-cdn.net|15 doh2.b-cdn.net|20

and

domain | urllist_id | doh2.blahdns.com|3 doh2.blahdns.com|13 doh2.blahdns.com|15 doh2.blahdns.com|20

list IDs 3 | https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt 7 | https://raw.githubusercontent.com/wiki/curl/curl/DNS-over-HTTPS.md 11 | https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt 12 | https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt 13 | https://raw.githubusercontent.com/crypt0rr/public-doh-servers/main/dns.list 15 | https://raw.githubusercontent.com/jbaggs/doh-intel/master/doh.intel 19 | https://raw.githubusercontent.com/unwrapsodding/DOH_Servers/main/hosts 20 | https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/doh.txt 21 | https://raw.githubusercontent.com/beamrod/doh_hostlist/main/host_list.txt

by visiting , for example the URL https://api.bgpview.io/ip/84.17.46.54 you will notice this address is part of a CIDR (name:"CDN77"). You'll need to make an exception for the entire range 84.17.46.0/23

As explained in the manual, it is recommended to assign the exceptions only to the devices that need to be able to visit this site, thus excluding for example IOT devices. Unfortunately, since hosting companies use CIDR to host several websites and services, and the IP address of the websites and services regularly change, the use of network exceptions for specific devices is unavoidable.

This is explained in section 10 (CIDR (network) Exceptions) of the manual.

Note that I only consolidate lists (see the manual for the list of lists). Once a domain is in a list, the domain and associated IPs will be added to the block list(s). Adding Exceptions is the responsibility of firewall administrator.

I strongly advise to implement RPZ blocking when whitelisting CIDRs