1.1.1.2 blocking gogoanime

loganaden · April 10, 2020, 9:16pm

malware filtering is blocking gogoanime, a popular streaming service for japanese anime:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.2 gogoanime.pro
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13406
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;gogoanime.pro. IN A

;; ANSWER SECTION:
gogoanime.pro. 60 IN A 0.0.0.0

;; Query time: 5 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Sat Apr 11 01:13:47 +04 2020
;; MSG SIZE rcvd: 71

Same with the mirror website:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.2 www5.gogoanimehub(dot)tv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11368
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www5.gogoanimehub(dot)tv. IN A

;; ANSWER SECTION:
www5.gogoanimehub(dot)tv. 60 IN A 0.0.0.0

;; Query time: 3 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Sat Apr 11 01:14:44 +04 2020
;; MSG SIZE rcvd: 85

Could this be a false positive on 1.1.1.2’s side ?

soldier_21 · April 11, 2020, 7:22am

It does seem like a false positive to me

You may report it here
https://report.teams.cloudflare.com/

loganaden · April 11, 2020, 8:03am

Thanks @soldier_21. I have filed 2 reports.

k-rolll · April 11, 2020, 6:28pm

you can try go to gogoanime.io or gogoanime.video It work fine with me, using with 1.1.1.2

intr0 · April 14, 2020, 1:33am

It may, just may, have something to do with the fact that no single “gogoanime” domain is actually hosted by or uses the same provider services (such as CloudFlare). There are literally nearly 100 “gogoanime” sites, ~ 50 of which use that exact do,aim name, the other half of which use similar domain names. Many of those 100 claim to be the “official” site. Many of them are known to host malware of one variation or another. So, there’s Phishing involved (via ~100 domain variations, none of which are actually “mirrors” at least according to each site’s claim that it, not the others, are the “official” site). And there’s malware involved and probable Pirating involved within a subset of the ~100 domain variations. As a security researcher and maintainer of two distinct anti-malware/phishing/etc… blacklists, I would definitely consider adding it to both blacklists after a bit more digging. So thank-you for your post.