-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Something is wrong with NextDNS processing Lightswitch05 - Ads & Tracking blocklist. #361
Comments
We now treat all names (QNAMEs and CNAMEs) equally. That list contains Anyone using that list on Pihole/Adguard home should have the same issue, could you suggest them to exclude |
This comment has been minimized.
This comment has been minimized.
Didn't know. This behavior is then new from yesterday on?
Do you have any ETA? |
See the response lightswitch05/hosts#213 (comment) I really don't know what is best for general use, I will allowlist the Cheers |
The nature of CNAME blocking tends to be aggressive, so this should be optional... e.g:- Since win 10 uses the domain www.msftconnecttest.com to check for connectivity, it reports that “No Internet, secured” ‘coz I’ve blocked msedge.net (the CNAME for www.msftconnecttest.com). |
I like CNAME blocking option, but I do agree that it should be |
The reason we switched to treating all names equally is that many platforms do something called CNAME chasing, where they query each CNAME from the answer independently (so CNAMEs ends up appearing as QNAMEs). As far as we know, unbound, macOS and iOS do that. We wanted to be ISO on all platforms, and deal with the few exceptions on a case by case basis. As both Pihole and adguard home added the CNAME blocking feature recently, blocklists maintainers are/should be adapting. We will releasing a fix today so when a domain is blocked because of one of its CNAMEs, the CNAME is shown like this: Please report any false positives you encounter following this change, it's hard to figure all of them out without the help of our community. |
Cool. Thank you. |
Interestingly when I place |
Personally, I think this is a recipe for disaster. |
Here’s an example of an ad company posing as a legit CDN. In order to access any site that uses such as a CDN, one has to allow g.ezoic.net (CNAME) i.e an adserver/tracker. |
@badmojr this behavior is already happening for all stub resolvers chasing CNAMEs (mDNS responder for iOS and macOS, and unbound, as far as we know). Making it opt-in, aside from not catching CNAMEs that should be caught (like disguised trackers), would not solve this for this large percentage of users, for whom this is already happening and impossible to turn off. Looking at the numerous issues related to The only approach we see viable long-term is to treat all names equally and make the blocking behavior ISO everywhere, and (hopefully) blocklists will adapt gracefully. There are already tons of domains not being blocked because they break things, this just potentially removes just a few more. Our findings tell us that most of the time, different subdomains are being used as CNAMEs and direct visible QNAMEs, in that case it's not an issue. For cases like Long story short, this is not a feature call that we made, it's a long-term choice we are taking to hopefully, by making blocking ISO for everyone, decrease the overall false positives. |
CNAME is a pest which must be dealt accordingly and I guess @romaincointepas is right to stand by his opinion and CNAME must be adopted ASAP... it is the future and future is changing constantly.
I am thinking we should open a new issue to track/report those and close this one? Cheers |
The thing I’ve begun to like about how this was implemented is unlike it’s counterparts, NextDNS’ logs section doesn’t intermix the names (QNAMEs & CNAMEs). The above & the favicons makes it easy to "debug & fix" when breakages happen. |
@romaincointepas As a list maintainer, I remove the above domain from the lists authored by me. Then, I push an update; only to find out (from the NextDNS’ logs) that the above domain additionally has a CNAME. Again, the CNAME gets removed & an update is pushed. The entire process above could be simplied if every entry in the logs that has a CNAME was marked/shown as having so. Otherwise from now, I manually have to dig for a corresponding CNAME every time a false positive gets submitted/discovered. Cheers! |
STR
Lightswitch05 - Ads & Tracking
in the privacy sectiongstatic.com
orfonts.gstatic.com
defined.fonts.gstatic.com
and see in the NextDNS log saying its being blocked byLightswitch05 - Ads & Tracking
blocklist... which simply is not true.What has happened here?
The problem started to happen from at about 4.8.2020 17:00 CET. (<- I hope I calculated the time right... but if not, there around +/- 2 hours).
Cheers
The text was updated successfully, but these errors were encountered: