Why is 1.1.1.3 blocking a CDN?

I use 1.1.1.1 for Families (a.k.a. 1.1.1.3) as my home DNS.

This week I was trying to get to docs.sentry.io, but it would not load.

I did a DNS lookup and I see that it is a CNAME which resolves to cname.vercel-dns.com which is what is actually being blocked.

I looked in the Domain Categorization form and I see that it is correctly categorized as “Content Servers”.

As far as I know, that is not a category that should be blocked.

Since it is already correctly categorized, I can’t use the Domain Categorization form to submit feedback.

Why is this site being blocked?

Looks like this is blocked as malware:

 dig cname.vercel-dns.com @1.1.1.2 +short
0.0.0.0
1 Like

I use 1.1.1.3 and 1.0.0.3 at my router, browser and network adapter at OS.

I can open https://docs.sentry.io/.

cname.vercel-dns.com. IN A
;ANSWER
cname.vercel-dns.com. 59 IN A 76.76.21.21

Domain and sub-domain (cname)vercel-dns.com seems to not being proxied via Cloudflare neither is pointed to the Cloudflare nameservers.

vercel-dns.com. IN NS
;ANSWER
vercel-dns.com. 21599 IN NS ns2.vercel-dns.com.
vercel-dns.com. 21599 IN NS ns1.vercel-dns.com.

404 not found should refer to the host/origin issue as follows on the below screenshot:

I’ve been doing some more testing, and here it gets a little weird.

If I do a query to 1.1.1.3 (or 1.1.1.2) directly for docs.sentry.io, I get this:

C:\Users\moshe>nslookup docs.sentry.io 1.1.1.3
Server:  UnKnown
Address:  1.1.1.3

Non-authoritative answer:
Name:    cname.vercel-dns.com
Address:  76.76.21.21
Aliases:  docs.sentry.io


C:\Users\moshe>nslookup docs.sentry.io 1.1.1.2
Server:  UnKnown
Address:  1.1.1.2

Non-authoritative answer:
Name:    cname.vercel-dns.com
Address:  76.76.21.21
Aliases:  docs.sentry.io

Compare to my results for just the CNAME:

C:\Users\moshe>nslookup cname.vercel-dns.com 1.1.1.3
Server:  UnKnown
Address:  1.1.1.3

Non-authoritative answer:
Name:    cname.vercel-dns.com
Addresses:  ::
          0.0.0.0


C:\Users\moshe>nslookup cname.vercel-dns.com 1.1.1.2
Server:  UnKnown
Address:  1.1.1.2

Non-authoritative answer:
Name:    cname.vercel-dns.com
Addresses:  ::
          0.0.0.0

According to the packet capture, the DNS response from 1.1.1.3 includes two answers, one for the CNAME record for docs.cloudflare.com and one for the A record for cname.vercel-dns.com.

However, it seems that the router (pfSense, running Unbound) sees only the CNAME and ignores the second part of the answer, so it does its own query for cname.vercel-dns.com which gets blocked by 1.1.1.3.

So there are now two questions that remain:

  1. Why is the Vercel domain blocked on its own?
  2. Why does Unbound not use the second part of the DNS response?

I hope I’ll get an answer here on the first question, and I’m following up on the pfSense forum about the second question.