As of July 9th, emergingthreat.net introduced a new high seevrity rule seemingly impacting devices using 1.1.1.1 service - https://docs.emergingthreats.net/bin/view/Main/2027695
The alert is triggered upon communication to Cloudflare IP 104.16.248.249 - the specific site listed in the alert leads to a 404 page.
What is going on please?
You probably should ask the company who created the rule why they created it. Not familiar with the tool but assume looking at the metadata they are simply logging/auditing devices which are using Cloudflare’s DoH.
I did once see someone take an overly-broad, false-positive-heavy EmergingThreats rule, and become inspired to write a fraudulent abuse ticket blaming someone else for their own innocuous traffic.
(Can you tell that I’m still mad?)
It’s useful to audit traffic to public DoH resolvers in restricted environments, but people will overreact. Hopefully not very often. 
At least Cloudflare’s abuse department is unlikely to shut down Cloudflare’s DNS service. 
2 Likes