is not blocking when using DNS-over-TLS


Using normal DNS on port 53, is working correctly - not returning results for adult sites

dig @ nudity.testcategory.com A
; <<>> DiG 9.16.13 <<>> @ nudity.testcategory.com A
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Whereas issuing the same request using DNS-over-TLS, the server resolves it without blocking!

curl -H 'accept: application/dns-json' '' 
indent preformatted text by 4 spaces

Is the families service supposed to work on DNS-over-TLS? (It used to!)

CSAM (Child Sexual Abuse Material) The Child Sexual Abuse Material (CSAM) Scanning Tool allows website owners to proactively identify and take action on CSAM located on their website. Enabling this service will alert you and the National Center for Missing and Exploited Children (NCMEC) of your cached image files that match known CSAM hashes. The alerts to NCMEC will include your set email address. Additionally, this tool will attempt to proactively block material that is identified by this tool.

I don’t think your test is working:

This indicates the NS query to the server failed completely (no servers could be reached).

The DoH endpoint is not, but rather https://family.cloudflare-dns.com/dns-query https://developers.cloudflare.com/

curl -H 'accept: application/dns-json' 'https://family.cloudflare-dns.com/dns-query?name=nudity.testcategory.com&type=A'
1 Like

The CSAM tool is used for / with sites being proxied by Cloudflare to detect matching content. for Families is a (filtered) DNS service.

Well, what versions do CSAM work on?

Hi @cscharff , Thanks for your quick reply!

Dig test is fine - other sites resolve ok, e.g.

dig @ google.com A +short

I too was expecting NXDOMAIN or similar for nudity.testcategory.com but it seems the blocking behavior on normal DNS is just to drop the request. Either works.

Thanks for the Families URL - I’ll switch to that and see how it goes! :slight_smile:

Thanks. :slight_smile: This works fine!

Well if it contains material that maybe considered Child Abuse it can block requests with error 459: Unavailable due to legal reasons

Well, no. The error in the original report isn’t what would happen if there was a valid response it would look like this:

; <<>> DiG 9.10.6 <<>> @ nudity.testcategory.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55982
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;nudity.testcategory.com.	IN	A

nudity.testcategory.com. 60	IN	A

;; Query time: 43 msec
;; WHEN: Wed Mar 31 10:28:32 CDT 2021
;; MSG SIZE  rcvd: 68
dig @ nudity.testcategory.com A +short

So I know it doesn’t really actually matter much, but just wanted to document what expected behavior for dig should look like.

Simply, what does that mean?

It means that a query to the hostname nudity.testcategory.com using Cloudflare’s DNS resolver (part of Cloudflare for families) to validate that searches for DNS domains classified as Adult Content are blocked (by returning a address instead of the actual IP address of the host). — The free app that makes your Internet faster.

So it blocks the actual IP of the host?

Interesting. I agree, your response is what should happen. Indeed, if I do it from elsewhere that’s what does happen so the implication then is something in-between us is dropping the response. Either way, it’s all good! :slight_smile:

Anyway, thanks for your help, it’s way above and beyond what I was expecting for a free service! :slight_smile:

1 Like

I spend most of my time working around Cloudflare One/Teams/Gateway which is built on top of the same infrastructure. So when a ‘free’ customer hits what could potentially be a bug, I like to look into it just to make sure we haven’t broken something (it happens).

Glad we got it sorted. :smiley:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.