Feature Requests: 1.1.1.1 for families - block page and better review process

Hi CF,

I just wanted to file my request for a block page. It would make troubleshooting issues much easier if the user received a block page that informed them that CF blocked access to a site when using 1.1.1.2 or 1.1.1.3. Just getting a connection refused message could mean that the origin is having an issue so we have to go through a whole troubleshooting process at that point to figure out why users are not able to access their sites.

The second annoyance is the current review process. The review site is not really documented on 1.1.1.1 or the developer site. Once you do get to the proper review site, then there is no way to get status updates throughout the review process. This is not user friendly at all as you just have to keep running queries to see if/when the site has been recategorized. Ideally this new review process could be embedded in the block page so users can start a review from there.

Thanks

Serving a block page is not a trivial thing. As most of the web is not HTTPS, most people will get a browser error page rather than the block message. You also have to deal with DNSSEC. Filtering a result is one thing, but issuing a fake result is probably worse.

If you are using Cloudflare Gateway you get this functionality, but that is really for use in an enterprise where you can install a trusted CA on all the devices in an organisation via management tools (like Group Policy).

The blocked pages look like this: https://blocked.teams.cloudflare.com/example.com

As for the review process, it’s probably intentionally opaque to stop people from gaming the system. The only improvement I can think of would be some sort of ETA. At this point, I have no idea how long it takes to process a request and how often they push out updates. So after a week goes by, I’d know if that request was accepted or not by the query response.

1 Like

@michael OpenDNS manages this fine. Yes you get a cert error but even with that you can check the cert is coming from opendns which gives you an idea of what the problem is even without proceeding through the cert error warning.

@sdayman I would be totally fine if you need to login to get tracking. If users don’t want to get tracking, then they could submit an anonymous request.

If you’re okay with the cert error then you can use the free tier of Cloudflare Gateway (which isn’t only for enterprises) to get block page functionality.

Cloudflare returns 0.0.0.0 for blocked domains unlike other providers like Quad9 who return NXDOMAIN. So you can use a DNS forwarder/proxy on the local network to identify this address and return the response that you want your users to see.

The review process could be improved, but if there are domains being blocked that users need access to urgently, then you can use Cloudflare Gateway to whitelist those sites for your own network.

1.1.1.2/1.1.1.3 is supposed to be no-frills - not everyone wants a block page by default. If you need more granular control of your DNS blocking that’s what Gateway is for.

Gateway doesn’t work for us. We moved to sd-wan 4 years ago. Each site has several wan connections with dynamic IPs and then traffic is sent through cloud gateways which are shared amongst many customers. We just use 1.1.1.3 on our untrusted networks as a simple adult and malware filter. Honestly we would use opendns family shield if their terms allowed business use. They have a block page that works fine and a review process that provides feedback. I prefer that CF returns 0.0.0.0 as nxdomain causes Android to failover to alternative resolvers which make the filtering useless. If they can have a custom block page in their gateway product, then they should be able to have a generic one without it. It reduces user and IT confusion.