Feature Request - 1.1.1.1 and DNS for Families Should Redirect to a Block Page (Like Warp)

Canadian Internet Registration Authority (CIRA) offers a similar free service to 1.1.1.1 and 1.1.1.1 for Families called CIRA Canadian Shield with similar levels of protection; however, each time a site or domain is blocked by CIRA Canadian Shield, it redirects to a page explaining why this has happened - see screenshot below. (Similar to Cloudflare Warp client protected setup)

Why does Warp do this but not 1.1.1.1 or 1.1.1.1 for Families?

It would be less confusing as people who are blocked from visiting undesirable web sites using 1.1.1.2 or 1.1.1.3 are just left hanging with an incomplete connection (browsers show “Can’t reach this page”), which might lead them to believe something is wrong with their internet connection, modem/router, or computer.

There are limitations on what you can do with a DNS only filtering solution. Top of my list is that as the web moves towards 100% HTTPS any special web page that is shown will be hidden by the browsers HTTPS error page, as Cloudflare cannot show a valid certificate for any domain that is blocked without further configuration.

Cloudflare One offers customised block pages, but requires more setup than just pointing your DNS to 1.1.1.X. Installing a special root certificate on every machine to make the block pages work is not something that everybody is happy to do.

https://developers.cloudflare.com/cloudflare-one/policies/filtering/configuring-block-page/

CIRA only do this for sites served over HTTP. HTTPS sites are given an NXDOMAIN response, for the reason given above.

https://www.cira.ca/cybersecurity-services/canadian-shield/faq-public

3 Likes

Hi michael,

Thanks for the prompt response; makes sense - and you’re right, installing a root certificate on multiple is not trivial in unmanaged environments or always desirable, so point taken.

Delivering a block page even just for HTTP sites does provide some value in my opinion, but I agree is less than ideal/useful as the internet moves to HTTPS-only.

How would the DNS resolver know if you visit the site via HTTP or HTTPS? The DNS query only includes the domain and not the protocol. I understand you’re quoting the FAQ, but this just seems wrong.

I did notice that it gives different answers for different types of domains:
Domain without HTTPS (or HTTP):

dig fridgexperts.cc @149.112.121.10 +short
139.162.69.4
157.230.15.82
172.105.55.131
207.154.206.0
192.46.225.170

Gives NXDOMAIN block.

dig fridgexperts.cc @149.112.121.20 +short

Domain with HTTP (and HTTPS):

dig prince.ps @149.112.121.10 +short
216.194.173.53

Gives block page:

dig prince.ps @149.112.121.20 +short
99.83.178.7
75.2.110.227

They might also be glossing over the fact that DoH (DNS over HTTPS) factors into this? (if you manually setup browsers to use their DNS)

But I can attest to the fact that using their DNS protect/family setup on home routers will provide block pages to client computers that have no other configuration other and simply than getting DNS resolved by CIRA Canadian Shield upstream.

how do i post on the forum?!

I expect they perform a test and include an attribute in their database which tells them what response to give.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.