covid19-scenarios.org is currently being blocked from DNS lookups by Cloudflare's anti-malware DNS (1.1.1.2/1.0.0.2)

[Lutzy]

🐛 Bug Report

I use pi-hole on my local network and set my upstream DNS servers to Cloudflare's anti-malware DNS (1.1.1.2 and 1.0.0.2). More info on these DNS servers can be found here: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

Currently, if I try to visit https://covid19-scenarios.org/ pi-hole tells me that this domain is blocked by upstream DNS (Cloudflare).

How to reproduce

Steps to reproduce the issue:

1. Set DNS to Cloudflare's anti-malware DNS (1.1.1.2/1.0.0.2)
2. Flush DNS cache
3. Try and visit https://covid19-scenarios.org/

😯 Current Behavior

The name resolution fails.

🤔 Expected Behavior

The name resolution should succeed.

💁 Possible Solution

Contact Cloudflare and figure out why https://covid19-scenarios.org/ is showing up in malware filtering.

🔦 Context

It made me sad

-

[ivan-aksamentov]

@Lutzy Thanks for the report and the investigation.

I am not sure how they categorize the domains, but I guess they just block all the new COVID-19-related sites for now as "fake news", which makes sense.

I submitted our domains in category "science" for the review on https://report.teams.cloudflare.com But I am not sure how to proceed further. Cannot find any relevant contact venue either.

Could you please additionally verify that our old addresses are reachable on your setup: https://neherlab.org/covid19/ https://neherlab.org/covid19_version0/ https://neherlab.org ?

We are hosted on AWS entirely and use relatively vanilla S3, Cloudfront, domain and DNS setup. That should not be a problem, should it? I am not sure if any additional config is required for various filtering and adblocking solutions.

I will dig into it a bit, but if you have any thoughts, please let me know.

Update: apparently there have been massive false positives before as well https://blog.cloudflare.com/the-mistake-that-caused-1-1-1-3-to-block-lgbtqia-sites-today/

[Lutzy]

All three (well they're on the same domain so it makes sense) of those work just fine. I had heard that 1.1.1.3 had a lot of false positives before, but that one is designed to filter both malware and "adult content" which can be a lot more difficult and subjective to classify.

It's not a huge deal for me personally of course, I can just change my upstream DNS to either 1.1.1.1 or 8.8.8.8 or something, but yeah I think you contacting cloudflare makes the most sense. I was going to do it, but I figured I should do my due dilligence and report the issue to you guys, as I imagine I'm not the only person using Cloudflare's anti-malware DNS.

I think you can safely close my issue if you want. I just wanted to let you guys know. Thanks and keep up the great work!

[Lutzy]

And just to leave a note for your information

1.1.1.1 = Cloudflare's DNS, it's fast and has an easy to remember IP but offers no filtering 1.1.1.2 = Cloudflare's Anti-malware DNS, same as 1.1.1.1 except it also blacklists malware (and apparently it's a little too over-zealous) 1.1.1.3 = "family safe" DNS, it's got everything 1.1.1.2 has but also filters "adult content"

[ivan-aksamentov]

@Lutzy I am not going to close this issue until it's resolved. And I would appreciate your further help with that.

I've contacted Cloudflare on Twitter https://twitter.com/ivan_aksamentov/status/1253160876875669506

But, considering that you planned to also ping them, can you please recommend me the proper way of contacting them? In case if you already found one.

[ivan-aksamentov]

Just for bookkeeping, here are the commands to check resolution using Cloudflare's DNS servers:

dig +short @1.1.1.1 covid19-scenarios.org
dig +short @1.1.1.2 covid19-scenarios.org
dig +short @1.1.1.3 covid19-scenarios.org

1.1.1.2 and 1.1.1.3 reply with 0.0.0.0

[Lutzy]

https://support.cloudflare.com/hc/en-us/articles/200172476-Contacting-Cloudflare-Support was going to be the route I took

[noleti]

I found https://report.teams.cloudflare.com/ and filed to re-classify as 'technology'. Not convinced this will help.

[ivan-aksamentov]

@noleti @Lutzy Could you please check if the domains can be resolved now from your config?

I submitted the issue 7 days ago. They replied 4 days after that that the issue was escalated to the tech team. The day after the ticket was closed. Currently, 2 days after the domains are still not resolvable.

They say they prioritize paying customers...

[Lutzy]

Sorry to hear you're having difficulty with it. I think I'm actually going to change to 1.1.1.1. I like Cloudflare's DNS from a speed perspective, but your guys' domain is actually the only one I've seen the malware filter block (maybe I have good browsing habits, but 1.1.1.2 has yet to do anything good for me)

[ivan-aksamentov]

Thanks @Lutzy . Could you confirm that it's still blocked in the place where you live, for example using the dig commands from above?

My worry is that users in institutions, like hospitals, universities, government may be forced to use the 1.1.1.2 or similar filters en masse, by their admins. Hard to say if any of institutions have switched to this, but that would be a serious hit for our project.

[Lutzy]

Yes, 1.1.1.2 is still blocking.

[ivan-aksamentov]

Good news! Seems like Cloudflare unblocked us. I verified with dnschecker.org and dig on multiple ISPs and VPNs.

Closing this. But if issues persists, please comment.

[rhester72]

Still blocked on 1.1.1.2 for me, confirmed via dig.

[ivan-aksamentov]

@rhester72 I can confirm that it is blocked again on my side as well. Not sure what is this Cloudflare doing exactly... Reopening an issue and submitting another support request to them. Might take a few days again.

[ivan-aksamentov]

This should be resolved now, hopefully definitively