Cloudflare for Families - 1.1.1.3 - is NOT blocking anything

I’m not sure if there are better places to report this for a timely investigation, but at the very least hopefully this may raise awareness if any of you are relying on this new service. I imagine they’ve pulled out many or all of the feeds they were using due to the earlier reported issues, but at the moment it’s basically useless. 1.1.1.2 for Malware may be working - I haven’t tested that yet.

Hi @BurntOC,

Can you try visiting phishing.testcategory.com and nudity.testcategory.com in your browser and see if they are blocked? They are just test sites to check that 1.1.1.2/1.1.1.3 are working correctly.

You can also report the miscategorisation of a domain at report.teams.cloudflare.com.

1 Like

I just tried a well-known “hub” site and got nothing. Same with another “naughty” site.

EDIT: To be clear, 1.1.1.3 blocked both of these.

Second Edit: I apologize. I forgot I’m using Gateway for Teams and have it configured to block Security Threats and Adult Content.

I’ll have to try that later tonight, but as @sdayman noted, an obvious example of an issue is that not even the “world’s most trafficked p0rn site” is being blocked ATM. I’ve filed the miscategorization reports, but Cloudflare was 0 for 5 in the legit sites I checked so it would seem this is bigger than that.

Yeah same i have many websites such as proxy web, porn web, gambling webs but they are not blocked. And i dont know what can i do in request only give domain name or a whole website?

@domjh No problem getting the 200 Success message from both those sites you list. Is nobody @Cloudflare even monitoring this? Looks like they announced something, ended up blocking some LGBT sites and apologized, and then basically completely neutered it without any notice whatsoever to the user base.

Looks like you have a misconfigured system or your DNS is being hijacked by your local router or another system. Those are being blocked by 1.1.1.3.

dig phishing.testcategory.com @1.1.1.3 +short
0.0.0.0

dig nudity.testcategory.com @1.1.1.3 +short
0.0.0.0

eero routers with their security service enabled (for example) hijack normal DNS queries. That’s an issue with your local infrastructure.

1 Like

Thanks for the tip @OliverGrant. Testing the hub and naughty sites using your method also return 0.0.0.0

To start, I want to be clear I don’t mean this to be snarky. Thanks for taking a look. However, there’s no misconfiguration here. Maybe a misunderstanding of what Cloudflare’s Status 200 Success page is though. Pornhub+1.1.1.3=fail. Xvideos+1.1.1.3=fail. I have another several I Googled that failed as well. I switch 1.1.1.3 and 1.0.0.3 to Cleanbrowsing.org’s 2 adult blocking DNS servers and BANG, they’re blocked.

EDIT - I didn’t see the part about eero until after I responded. To be clear, this is a pfSense box that works just fine and hasn’t ever hijacked any query to the best of my knowledge. Nslookup and other tests confirm they’re going to the right places, and I’m getting the responses provided. I believe I just misunderstood their test site results pages, which could also bear some clarification.

Update. Turning in for the night so I haven’t run more than a couple of quick tests, but it looks like they may have updated the filters. Fingers crossed. I’ll double check tomorrow.

The 200 page should not be visible if 1.1.1.2/1.1.1.3 are configured correctly. You should not be able to visit those in your browser if it is configured correctly.

The DoH adds a twist I wasn’t thinking about, and hadn’t explored.

If it’s HTTPS, aren’t you always going to get a 200 response for your request, and then the content is going to differ depending on DNS success or failure?

So I would think with DoH they’d be using the same filters on the DoH-capable servers as the standard DNS servers, which would then ID a blacklist match and provide a failure page. That said, I’m not sure what CF actually intends to happen in this case. It sounds like my original interpretation of the 200 page was correct, at least.

Checking again this morning, I get 1001 errors when I try to access those two sites I called out specifically that should be blocked, but I still get 200 pages going to the two test URLs supplied above. I believe the 1001 errors are actually the current “proper” behavior indicating 1.1.1.3 is working - for those sites at least. Again, I’ll have to test more. DNS leak testing has added further support to my belief that my server continues to act as it should for these queries, and that the behaviors I’m seeing are related to CF. Again, my other providers work 100% as I would expect.

Maybe same problem.
Router have 1.1.1.3 configu (https://i.imgur.com/Dy8PIAK.png).
But when i connect i from any devices i have 1.1.1.1 (https://i.imgur.com/BetrGxZ.png)
Any ideas?

I tested phishing.testcategory.com and nudity.testcategory.com and they were blocked. But www.redtube.com was not. It is clearly an adult site. What is going on?

That’s a really great question. It seems like they really messed up the launch on this. They blocked lot of sites that shouldn’t have been, and now it doesn’t appear to block much of anything. I’ve seen threads about case sensitivity and other things that simply should be 101 type stuff at this point. I was excited to hear about the launch, but I switched back to Cleanbrowsing and I am in no rush to trust this again.

The whole deal is really surprising to me. I mean, mistakes get made. This was a big one, and it shouldn’t have been launched broken, but it was so okay, just fix it. Cloudflare has such top notch offerings to see it sit there broken for a week so far just baffles me. It’s also concerning that they haven’t even acknowledge they’re fixing it.

Agreed. The cleanbrowsing dns sounds like a better choice.

I switched over to cleanbrowsing and rebooted my router but, I’m still showing that I’m grabbing the cloudshare dns. Any idea what I need to do? I left the cable modem powered down for 10 minutes along with the router turned off. But I’m still grabbing the old dns when I boot back up.

I’m not sure why your router wouldn’t work if you swapped them out.

Ended up being a settings issue on my router. Turns out you actually need to specify the DNS addresses in 2 places depending on how the router is configured. So. Issue solved.