[Tracking Aggressive] cloudflare-dns.com

[kzshantonu]

Needed for cloudflare DoH

[ler762]

DoH bypasses your host file. If you want to use cloudflare DoH why would you use a hostfile?

[lightswitch05]

@kzshantonu thanks for opening the ticket. I agree that it is an aggressive block, but it's also already on the aggressive list. My notes on this one:

being used on AOL.com for tracking https://cloudflare-dns.com/dns-query?name=d-1fcijw39vreport.wc.yahoodns.net&type=A

So, it was being used on AOL.com to bypass my pihole. I think that makes it a good candidate for this aggressive block list.

I also agree with @ler762 that generally speaking, since this is a hosts file, blocking host-bypassing domains is valid, especially in this very aggressive block list.

[kzshantonu]

So, it was being used on AOL.com to bypass my pihole. I think that makes it a good candidate for this aggressive block list.

Oh I see. Didn't know that. Understandable

[dnmTX]

Interesting.... 🤔 Giving the facts so far,if the domain in question is used for DoH and DoH is bypassing the hosts file altogether,how is it listing/blocking it will make any difference. Logically speaking here(never used DoH,neither done any tests) blocked or not it should freely bypass the hosts file anyway.

[kzshantonu]

In my specific situation, I run an adguardhome server with the aggressive list. That is set as my router's DNS. So family members who use Facebook and friends' sites are told to use any public DoH server (eg: cf) to bypass blocking. According to my logs, iOS use the router's DNS to resolve the DoH server's IP, not a hardcoded DNS server

[lightswitch05]

@dnmTX in the example above cloudflare-dns.com is resolved as a normal domain- not using DoH or bypassing the hosts file. However, d-1fcijw39vreport.wc.yahoodns.net is being queried using DoH, and would bypass the hosts file.

*.wc.yahoodns.net is wildcard blocked via my pihole, and so cloudflare-dns.com allowed AOL to bypass that block.

[dnmTX]

@lightswitch05 i was questioning the the OP's reasons for opening this issue here,which are: 👉 Needed 👈 for 👉 cloudflare DoH

Why....you decided to list it in your....AGGRESSIVE list,weren't even in my mind,neither being questioned,for sure 😉 👍

[dnmTX]

*.wc.yahoodns.net is wildcard blocked via my pihole

Jinx! 😄 👇

[ler762]

On 9/14/21, dnmTX @.***> wrote:

Interesting.... 🤔 Giving the facts so far,if the domain in question is used for DoH and DoH is bypassing the hosts file altogether,how is it listing/blocking it will make any difference. Logically speaking here(never used DoH,neither done any tests) blocked or not it should freely bypass the hosts file anyway.

This version of DoH can be blocked since cloudflare-dns.com has to be looked up: $ curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=yahoo.com&type=a' {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"yahoo.com","type":1}],"Answer":[{"name":"yahoo.com","type":1,"TTL":1375,"data":"74.6.231.21"},{"name":"yahoo.com","type":1,"TTL":1375,"data":"98.137.11.164"},{"name":"yahoo.com","type":1,"TTL":1375,"data":"74.6.143.26"},{"name":"yahoo.com","type":1,"TTL":1375,"data":"98.137.11.163"},{"name":"yahoo.com","type":1,"TTL":1375,"data":"74.6.143.25"},{"name":"yahoo.com","type":1,"TTL":1375,"data":"74.6.231.20"}]}

On the other hand, a hosts file isn't going to do anything about this: $ curl -H 'accept: application/dns-json' 'https://1.1.1.1/dns-query?name=yahoo.com&type=a' {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"yahoo.com","type":1}],"Answer":[{"name":"yahoo.com","type":1,"TTL":1300,"data":"74.6.143.26"},{"name":"yahoo.com","type":1,"TTL":1300,"data":"98.137.11.163"},{"name":"yahoo.com","type":1,"TTL":1300,"data":"74.6.231.20"},{"name":"yahoo.com","type":1,"TTL":1300,"data":"98.137.11.164"},{"name":"yahoo.com","type":1,"TTL":1300,"data":"74.6.143.25"},{"name":"yahoo.com","type":1,"TTL":1300,"data":"74.6.231.21"}]}