Hi @jpgpi250

[jpgpi250]

Hi @jpgpi250

This website is blocked because it tried to access 84.17.46.50 which is actually not in your list. But when i look at the pftables it does excist.

I tried to open this webpage: https://www.berkenrhode.nl/

Maby it should be in the exceptions?

Originally posted by @Giel538 in https://github.com/jpgpi250/piholemanual/issues/7#issuecomment-855238680

[jpgpi250]

@Giel538

moved your comment to a new issue.

84.17.46.50 matches dns entries 'doh1.blahdns.com' and 'doh2.blahdns.com', so it is possible an exception is required, however I opened https://www.berkenrhode.nl/ without any problems, checked the firewall logs, the address doesn't appear in the logs.

Please specify what you need to do on that page in order to trigger a block on the address.

possibly affected entries: 84.17.46.50 doh1.blahdns.com 2a02:6ea0:c020::2 doh1.blahdns.com 84.17.46.50 doh2.blahdns.com

[Giel538]

Hmm strange. I checked again but it is really blocked because of DOH rule. I actually have the same problem on this site: https://www.duinhoeve.nl/

I figured out that this two websites try to connect to https://cdn.bookingexperts.nl/ which is giving the problem.

If i am the only one it is better to not add this to the exception list. To much exceptions is never good :)

[jpgpi250]

Still don't understand / convinced https://www.duinhoeve.nl/ opens without any problem here. When I open the site, this is what happens (DNS):

query[A] www.duinhoeve.nl from 192.168.2.228 forwarded www.duinhoeve.nl to fdaa:bbcc:ddee:2::5552 query[AAAA] www.duinhoeve.nl from 192.168.2.228 forwarded www.duinhoeve.nl to fdaa:bbcc:ddee:2::5552 reply www.duinhoeve.nl is reply cms.bookingexperts.nl is 52.58.58.190 reply cms.bookingexperts.nl is 3.64.33.153 reply cms.bookingexperts.nl is 35.156.202.32 reply www.duinhoeve.nl is query[A] fonts.gstatic.com from 192.168.2.228 forwarded fonts.gstatic.com to fdaa:bbcc:ddee:2::5552 reply fonts.gstatic.com is reply gstaticadssl.l.google.com is blocked during CNAME inspection query[AAAA] fonts.gstatic.com from 192.168.2.228 forwarded fonts.gstatic.com to fdaa:bbcc:ddee:2::5552 reply fonts.gstatic.com is reply gstaticadssl.l.google.com is blocked during CNAME inspection

cms.bookingexperts.nl (not cdn.bookingexperts.nl), resolves to (dig)

• 52.58.58.190
• 35.156.202.32
• 3.64.33.153

none of these addresses are on the DoH list.

cdn.bookingexperts.nl does map to blocked IPs dig cdn.bookingexperts.nl returns 84.17.46.50 which is an address on the list:

• 84.17.46.49 doh1.b-cdn.net
• 84.17.46.49 doh2.blahdns.com
• 84.17.46.50 doh1.blahdns.com
• 84.17.46.50 doh2.b-cdn.net

tried this with edge-chromium and firefox

If you can confirm cdn.bookingexperts.nl is required to access https://www.duinhoeve.nl/, I'll add the addresses to the exception list. You said 'To much exceptions is never good', so you need to be sure, looks like bookingexperts.nl is frequently used, thus causing unnecessary problems.

Keep the list of devices, allowed to bypass the DoH block (exceptions) as small as possible. So far, it appears to be possible to keep most browsers in line with the 'don't use DoH' policy. apps, IOT devices, andoid, ios, ... , with built in DoH software, might not be that easily configured, hence the IP blocklists.

[Giel538]

Hi,

This is what chrome shows me:

And my firewall log:

And about https://www.berkenrhode.nl/

In chrome it is trying to connect to cdn.bookingexpert but in firefox it connects to cdn-cms.bookingexpert and working. So it is also somehow browser related.

[jpgpi250]

Checked this on edge chromium, https://cdn.bookingexperts.nl/ appears to be required, used for payment.

dig cdn.bookingexperts.nl returns IPv4: 84.17.46.49 OR 84.17.46.50 IPv6: 2a02:6ea0:c020::2

so these addresses need to be excluded (for specific clients only) to allow the website (payment) to function.

HOWEVER

The addresses are already in the exception lists, see here and here

Therefore, I assume:

• The addresses may have changed recently, both IP and exception addresses are generated daily from a list of domains. The exception list currently contains dns.cloudflare.com, doh1.b-cdn.net, doh2.b-cdn.net (you can check this in the sqlite database), all added as a result of previous requests to add an exception. I don't track address changes, the IP lists are compiled automatically overnight. The idea is to use / refresh the lists on your firewall daily, this to avoid using old IP information.
• If the websites still don't function for you, using the latest, daily updated IP and exception lists, You might want to check your exception rules again, following the guide lines in the doc.

edit checked a backup file on old sd card. file DOHexceptionsIPv4.txt, dated 5/29/2021 06:36:18, content hasn't changed file DOHexceptionsIPv6.txt, dated 5/29/2021 06:38.48, content hasn't changed /edit

[Giel538]

shit. my mistake. I added the exception rules but i swapped source and destination. omg. what a waste of time

thanks anyway!