Cloudflare dns redacted

dns

#1

Hi,
even though I agree to most of this filtering it is a bad habit for DNS provider, redacting on DNS server instead of fighting those sites. Why are you just hiding them.
And on second hand how can I trust somebody who is manipulating DNS records on their server?


#2

I really don’t get the question. I have a vague idea on the first map, but what are you actually asking?


#3

Let’s say that I targeted one really shady website as a practise target and in half of my robot indexing that site to get a better idea what is going on there I started getting no DNS record from 1.1.1.1 and 1.0.0.1 when all other providers (google etc.) retrieve A record.


#4

Usually when those kind of errors appear is something misconfigured on the authoritative DNS for the zone. Would you mind sharing the website?

Are you saying also that you tried hacking or DDoSing another website not under you control? That, no matter the scope or shadiness of the website, could be illegal.


#5

Indexing site when robots.txt forbid it is just bad habit and when your robots.txt says 404 I can index whatever I want without feeling guilty. And no I saw a lot of this kind of sites dissapear in few days. I taught somebody taken them down in lawsuit but no all of it is just cloudflare removing unwanted content from their DNS. I would notice it because I enforce strict ssl against my copy of bank certificate but how usual user is going to find out that next month cloudflare redirects his bank login to own phishing proxy? I mean how can I trust somebody who changes DNS records without publicly posting “Hi we want to fight them by removing them from our DNS server” and intead of it they can change access to internet to all their users without them knewing.
Should DNS provider fight those things?

I don’t think so. And really no when they don’t make public anouncment.

Dne st 11. 7. 2018 23:09 uživatel matteo [email protected] napsal:


#6

I would assume English is not your main language here, because terms are kinda going all over the place (just like arguments) and you are mixing things.

You were talking about targeting a really shady website as practise target, those are hacking/DDoS terms.

Let me see if I got that correct:

  1. you were trying to index shady websites.
  2. these websites suddenly disappeared.
  3. you accuse Cloudflare of having purposefully removed them from the Public DNS service.

I can’t see how this would relate to a bank certificate.
Why would Cloudflare redirect a bank login to a phishing site?

I repeat: can you share for example a domain name where this is happening?


#7

I am saing that either

  1. There is some problem which stops resolving domains connected to specific content

  2. Somebody who have trusted access to DNS misused it.

  3. Cloudflare stoped intensionaly resolving them.

And I am sure that it is on side of cloudflare because all other DNS providers resolves them.

Each of those scares me in some way from technical stability to posibility of missuse.

P.S.: leave pgp fingerprint and I will share the first public post which points on such thing.


#8

Well then:

  1. most likely, usually something to do with DNSSEC, as the 1.1.1.1 Public DNS is a validating resolver, enforcing it if it is active, so any misconfigurations result in no response (for further info see https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/).
  2. there would be a major incident there, no one would do something like that intentionally (unless they intent was to harm the company) since there would a major change in the public’s eye, causing trust issues.
  3. same as point 2 basically, major trust issues.

If you want to share the domain be my guest, I do not have any PGP fingerprint available and I won’t go create one for this case. You can simply put the domain here, is there a specific reason you are withholding it?

In addition you can run the domain through http://dnsviz.net which will resolve it, checking for possible DNSSEC issues in the process. It may not be the only issue or even that may not be the issue at all, there are many possible errors.