Bug: Cloudflare for families not blocking when TLS used

rstackes · December 14, 2020, 9:08pm

We are seeing a recent issue where requests to blocked sites are no longer working on Cloudflare for Families (1.1.1.3) when DNS over TLS is used. Unencrypted DNS works properly.

On Linux:

**# This works! Note 0.0.0.0 answer.**
# dig nudity.testcategory.com

; <<>> DiG 9.10.6 <<>> nudity.testcategory.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54599
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nudity.testcategory.com.       IN      A

;; ANSWER SECTION:
nudity.testcategory.com. 60     IN      A       0.0.0.0

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 14 14:58:02 CST 2020
;; MSG SIZE  rcvd: 91






**# Encrypted request does not block the IP address**
# dnslookup nudity.testcategory.com tls://cloudflare-dns.com 1.1.1.3
dnslookup undefined
dnslookup result:
;; opcode: QUERY, status: NOERROR, id: 43328
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nudity.testcategory.com.       IN       A

;; ANSWER SECTION:
nudity.testcategory.com.        60      IN      A       104.18.4.35
nudity.testcategory.com.        60      IN      A       104.18.5.35

rstackes · December 14, 2020, 9:09pm

Apologies, the correct unencrypted request format is:

dnslookup nudity.testcategory.com 1.1.1.3

cs-cf · December 14, 2020, 10:28pm

Unable to reproduce. Perhaps it’s the tool? May also want to try family.cloudflare-dns.com

kdig -d @1.1.1.3 +tls-ca +tls-host=cloudflare-dns.com  nudity.testcategory.com
;; DEBUG: Querying for owner(nudity.testcategory.com.), class(1), type(1), server(1.1.1.3), port(853), protocol(TCP)
;; DEBUG: TLS, imported 164 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27936
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 396 B

;; QUESTION SECTION:
;; nudity.testcategory.com.		IN	A

;; ANSWER SECTION:
nudity.testcategory.com.	60	IN	A	0.0.0.0

rstackes · December 14, 2020, 10:38pm

Bravo! That did it!

system · December 15, 2020, 10:38pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare for Families - 1.1.1.3 - is NOT blocking anything DNS & Network	22	34364	June 8, 2020
1.1.1.3 does not filter content if queries are made via DoT (DNS over TLS) 1.1.1.1 CloudflareForFamiles	34	25388	January 6, 2021
DNS for Families not preventing Traffic DNS & Network	2	2231	June 8, 2024
1.1.1.3 is not blocking when using DNS-over-TLS 1.1.1.1	14	4540	April 3, 2021
DNS over HTTPS not working for new family URLs 1.1.1.1	6	5620	June 18, 2021

Bug: Cloudflare for families not blocking when TLS used

Related topics