jpgpi250 / piholemanual

files referred to in my pihole installation manual
115 stars 14 forks source link

Cloudflare Pages erroneously blocked #46

Closed yitzhaq closed 3 months ago

yitzhaq commented 3 months ago

Your ABP rules are currently blocking the entire pages.dev domain: https://github.com/jpgpi250/piholemanual/blob/master/DOH/DOHadb.txt#L2829

Due to this, all sites hosted on Cloudflare Pages are being blocked. This entry should be removed, or made more explicit about what it is trying to target.

https://pages.cloudflare.com

jpgpi250 commented 3 months ago

https://github.com/jpgpi250/piholemanual/blob/master/DOH/DOHadb.txt#L2829 -> ortudns.com

I don't add / remove domain entries, I only consolidate (o)DoH lists

ortudns.com is on list 15 (https://raw.githubusercontent.com/jbaggs/doh-intel/master/doh.intel), you'll need to contact the owner of this list if you want it removed.

create a whitelist entry if you need to be able to resolve the domain.

yitzhaq commented 3 months ago

https://github.com/jpgpi250/piholemanual/blob/master/DOH/DOHadb.txt#L2829 -> ortudns.com

I don't add / remove domain entries, I only consolidate (o)DoH lists

ortudns.com is on list 15 (https://raw.githubusercontent.com/jbaggs/doh-intel/master/doh.intel), you'll need to contact the owner of this list if you want it removed.

Gotcha, thanks. Happy to report this upstream, however, the issue raised was for pages.dev, not ortudns.com. The line number must have changed since I filed the report - apologies for the confusion. pages.dev isn't in doh.intel - which list is it on, so I can bring it to the attention of the right people?

create a whitelist entry if you need to be able to resolve the domain.

The problem is that the ADB entry is a wildcard entry for the domain and all subdomains - all of them are. So in order to whitelist it, you'd have to whitelist the entire domain, thus overriding any specific subdomains that should be blocked (since whitelists take precedence). This service is occasionally abused for various purposes, such as phishing, and I don't want to be whitelisting any such entries. And all services under this domain live on dedicated subdomains - the naked domain is simply a redirect to pages.cloudflare.com, and thus no point in blocking in itself.

So the appropriate solution here would be to simply not add the domain as a wildcard entry in the first place. No DoH service is or can be offered directly from pages.dev, so the domain itself shouldn't be appearing on any DoH lists - as a wildcard entry or otherwise.

jpgpi250 commented 3 months ago

doh.futa.gg. 10800 IN CNAME pages.dev. pages.dev. 960 IN A 104.18.21.135 pages.dev. 960 IN A 104.18.20.135

doh.futa.gg is a cname for pages.dev, thus pages.dev resolves to an IP that hosts a DoH server, thus on the list(s).

pages.dev regularly pops up as blocked in my environment, it doesn't prevent viewing the web pages.

doh.futa.gg is on several lists, use the database (on github) an the urllist_id field to get the list urls

image