Cloudflare Gateway block response DoT vs DoH/plaintext UDP

peter.t.zimmerman · October 29, 2022, 7:10pm

I use DNS-over-TLS (DoT) to forward queries from my home router to a Cloudflare Gateway location. The policy I have assigned contains a block for one domain and the block page is enabled. Queries to that domain using the Zero Trust client (in DNS-only mode or Warp mode) receive the block page IP address as expected. Similarly, queries without the client over UDP53 receive the block page IP as well (as expected).

However, queries for the blocked domain over the DoT connection receive a SERVFAIL response, causing another query to be generated using the next DNS server issued by the DHCP server. I can see the block being logged in the Gateway logs over TLS, but I’m not sure why the response is SERVFAIL.

matthew5943 · November 1, 2022, 11:26am

For me, kdig -d @162.159.36.20 +tls +tls-sni=abc123.cloudflare-gateway.com malware.testcategory.com returns the blocking page IPv4 address and ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 18835. So, I could not reproduce this.

peter.t.zimmerman · November 1, 2022, 1:20pm

That’s not fully reproducing the steps. From what I can tell, category-based blocks over DoT work as expected. A custom block (add a specific domain to a rule to block) seems to be logged as a block but the response is SERVFAIL.

[email protected] ~ % dig malware.testcategory.com 

; <<>> DiG 9.10.6 <<>> malware.testcategory.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44241
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;malware.testcategory.com.	IN	A

;; ANSWER SECTION:
malware.testcategory.com. 60	IN	A	162.159.36.12

;; Query time: 70 msec
;; SERVER: 192.168.1.158#53(192.168.1.158)
;; WHEN: Tue Nov 01 09:18:31 EDT 2022
;; MSG SIZE  rcvd: 93

[email protected] ~ % dig foxnews.com

; <<>> DiG 9.10.6 <<>> foxnews.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61875
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;foxnews.com.			IN	A

;; Query time: 21 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Nov 01 09:18:41 EDT 2022
;; MSG SIZE  rcvd: 40

peter.t.zimmerman · November 1, 2022, 1:24pm

192.168.1.158 is my pi-hole, which is configured to send queries upstream to my router (which has the DoT connection to CF). You can see the servfail after it fails back to the router IP directly.

[email protected] ~ % nslookup foxnews.com
;; Got SERVFAIL reply from 192.168.1.1, trying next server

If I set up a backup to go straight to Cloudflare Gateway (or use the Zero Trust client to send queries directly), the block works as expected.

matthew5943 · November 1, 2022, 1:45pm

Do you have a policy like in this screenshot?
For me, that also returns the blocking page IP.

kdig @162.159.36.20 +tls +tls-sni=abc123.cloudflare-gateway.com foxnews.com
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20443
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; foxnews.com.                 IN      A

;; ANSWER SECTION:
foxnews.com.            60      IN      A       162.159.36.12

system · November 16, 2022, 1:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.