Null ip response versus NXDomain when blocking malicious content

Hi! I’ve noticed that you have documented when cloudflare for families blocks malicious and offensive domains the dns is resolved to a null ip record for A and AAAA records respectively.

Cloudflare will return 0.0.0.0 if the fully qualified domain name (FQDN)Open external link or IP in a DNS query is classified as malicious.

When this happens in safari, the browser appears to constantly be loading something until i navigate to a new page… Not a big deal but it is confusing. Why the decision to use a null IP rather than NXDOMAIN which seems like it is more likely to be understood by all types dns clients? Is there a benefit to using a null ip?

If I were to guess, it’s because NXDOMAIN may cause your device to fall back to some other DNS resolver, whereas 0.0.0.0 is an answer so your device will stop asking.

I can’t replicate your experience in Safari. I added a ‘test’ subdomain to one of my sites with an IP address of 0.0.0.0 and got this:

On my iPhone, it just said the address is invalid. If I could replicate this on my desktop, I’d check my DevTools to see why it’s constantly loading.

This post was flagged by the community and is temporarily hidden.

Wow, thanks for the quick response. It looks like this behavior is only present on Safari in iOS14 (perhaps also lower – didn’t try). Safari in iOS15 returns an error page similar to the one you shared. Chrome in both iOS versions also shows error pages. I can’t find any RFC that defines how dns blocking should/must be implemented. Is there any such definition around dns blocking that you are aware of?

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.