search

openrightsgroup / cmp-issues

Centralised issue-tracking for the Blocked backend
2 stars 0 forks source link

Test Cloudflare’s 1.1.1.1 for Families #262

Closed edjw closed 4 years ago

edjw commented 4 years ago

Cloudflare has introduced 1.1.1.1 for Families. It’s a DNS revolver run by Cloudflare that lets you block malware and adult content.

Malware and Adult Content Primary DNS: 1.1.1.3 Secondary DNS: 1.0.0.3

There are already reports of overblocking

alexhaydock commented 4 years ago

Do we have any way of generating a CSV or such of all the sites which have been previously blocked on Blocked.org.uk and later unblocked after a user report?

I'm bored so I could run them all through this new service and look at which ones it blocks. It's quick and dirty but it might turn up some interesting stuff.

gwire commented 4 years ago

I've suggested it to Daniel, earlier on the dev channel.

We may be able to use the DoH facility as an API - I believe DNS Status 5 is a blocked site.

$ curl 'https://family.cloudflare-dns.com/dns-query?ct=application/dns-json&name=www.openrightsgroup.org&type=A' --no-progress-meter | jq .Status
0
$ curl 'https://family.cloudflare-dns.com/dns-query?ct=application/dns-json&name=www.playboy.com&type=A' --no-progress-meter | jq .Status
5
JimKillock commented 4 years ago

Agree with Alex’s suggestion, that is low hanging fruit.

@gwire suggest we purchase a domain for Cloudflare / other generic (global reach) filter checking.

We also need to check what Cloudflare say their procedure is, whether they have an email address for complaints etc.

I will dig through my email to see if I can find an email for Cloudflare’s policy people to ask.

dantheta commented 4 years ago

I've added a quick proof of concept probe, pending integration into the main probe, and I've sent the unblocked URLs to it for testing.

So far it doesn't seem to be blocking very many of those, though I'm seeing quite a high error rate from it.

Looking at their DoH docs, it may be possible for status value 5 to be emitted under circumstances other than a blocked site, but I'm not sure what those conditions would be. It's a generic error indicating refusal to serve a response, the same as the regular port 53 DNS. If they do have a more detailed API, we can switch to that.

I'll open a new ticket for integrating this into the main probe.

The unblocked site test results where:

  status  | count 
----------+-------
          |     6
 dnserror |   185
 ok       |  2612
edjw commented 4 years ago

Low numbers of blocks may be because they worked to fix some overblocking very quickly

https://blog.cloudflare.com/the-mistake-that-caused-1-1-1-3-to-block-lgbtqia-sites-today/