0

Whitelist not always triggering

Hi,

I noticed a strange behaviour with various domains that are on the privacy block lists.

Whitelisted Domains incl. all subdomains (*.whatever.com) are still getting blocked by the privacy block list. Even worse this is not consistent (see above examples), sometimes the logs shows them as whitelisted, then a few seconds/minutes later they are blocked again.

This is extremely annoying when working for example with Google Analytics as I got kicked off the website a few times working with it last week.

Above logs are from DoH Chrome, cli windows client and the up to date EdgeRouter nextdns client.

Any idea how to solve this?

Thanks,

Ben

12 replies

null
    • Ruby_Balloon
    • 2 yrs ago
    • Reported - view

    Please post your allowlist setup; Also do you have multiple configs or just one config? Lastly, do you use 3rd party secondary/tertiary dns providers (Cloudflare, Google, etc) for any of these clients?

    • Ben_S
    • 2 yrs ago
    • Reported - view

    Hi Greg,

    thanks. We are using multiple configs, but all have the same whitelist and blocklist.

    1. config for our routers with ERX NextDNS client
    2. Chrome DoH deployed via Google Workspace to managed Browser / Company devices.
    3. In addition Company Laptops have the Windows CLI client installed.

    I already tried disabling "Block Bypass Methods" as I thought this might interfere with the config on the clients vs. the router for staff that is currently in the office. But it didn't change anything.

    I do see this behavior on all configs. See attached our White and Blocklist entries for above mentioned examples.

    Thanks

      • Ruby_Balloon
      • 2 yrs ago
      • Reported - view

      Ben S For Chrome DoH, are you sure its using the proper config ID? Also what about any 3rd party secondary/tertiary dns providers (Cloudflare, Google, etc) for any of these clients/devices?

      There seems to be alot of config/device/access overlap; Do you have the allowlist mirrored on all configs? 

      • Ben_S
      • 2 yrs ago
      • Reported - view

      Greg B. 

      Yup all mirrored (by hand as there unfortunately is no other option I know of).

      They use the correct config ID (otherwise I wouldn't see the requests in the log file).

      No other 3rd Party DNS Provider or AdBlocker installed.

      • Ben_S
      • 2 yrs ago
      • Reported - view

      So I just did another test with only the ERX client on the router. Freshly installed Windows 10 21H1 no Windows CLI or Chrome DoH involved.

      Trying to open https://analytics.google.com/ as an example.
      *.google.com and even *.analytics.google.com are whitelisted on this config.

      First try opening the website resulted in an dns error as it's blocked see screenshot 1.
      No change to the configuration I just went outside for a walk, 15 minutes later it's allowed again. I bet another couple minutes later it will randomly stop working as it's blocked again. That would be consistent with what I experienced so far.

      The last example is just something I wanted to try. So I enabled the native tracking block for Windows, with *.microsoft.com on the whitelist. The dns requests that involve requests to tracking domains are blocked even the tld is on the whitelist? Shouldn't the whitelist always take precedence over everything else?

      • Ben_S
      • 2 yrs ago
      • Reported - view

      As expected. 🙂

      • Ruby_Balloon
      • 2 yrs ago
      • Reported - view

      Ben S Yes, the allowlist should override security features. Have you done any extended dns leak tests on at least one impacted device? If there are no leaks, I would probably create a brand new config from scratch with the same allowlist and perform a handful of tests on a single specific device to see if you can reproduce

      • Ben_S
      • 2 yrs ago
      • Reported - view

      New config, new systems. Same issue. Config was finished before the first deployment.
      I don't know something is messed up with the whitelisting and I also don't want to spend more time on it. I guess we're just switching to CF Teams. I'm also frustrated that there is no "official" support for nextdns anymore besides this forum here.

      But thanks for your help Greg. 🙂

      • Ben_S
      • 2 yrs ago
      • Reported - view

      Clients in various places across north america. New config via Chrome DoH.

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Ben S can you please send your configuration ID via private message so we can investigate?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Ben S we might have found the issue, can you please try to reproduce again?

      • Ben_S
      • 2 yrs ago
      • Reported - view

      NextDNS so far from the first tests this morning and going thru the logfiles it seems to work fine now. I also can't reproduce the error anymore.

       

      Thanks so much and I will let you know if anything changes.

Content aside

  • 2 yrs agoLast active
  • 12Replies
  • 238Views
  • 4 Following