*.dedyn.io blocked at quad9?

frainz · September 8, 2023, 9:32am

Quad9 returns NXDOMAIN for all subdomains of dedyn.io, including the update endpoint:

The answer from 8.8.8.8:

dig @8.8.8.8 update.dedyn.io

; <<>> DiG 9.18.18 <<>> @8.8.8.8 update.dedyn.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62545
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;update.dedyn.io.		IN	A

;; ANSWER SECTION:
update.dedyn.io.	3543	IN	A	88.99.64.5

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Fri Sep 08 11:29:33 CEST 2023
;; MSG SIZE  rcvd: 60

And the answer from 9.9.9.9

dig @9.9.9.9 update.dedyn.io

; <<>> DiG 9.18.18 <<>> @9.9.9.9 update.dedyn.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32657
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;update.dedyn.io.		IN	A

;; Query time: 26 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Sep 08 11:25:51 CEST 2023
;; MSG SIZE  rcvd: 44

The AUTHORITY field is 0, which indicates a block:

Do you get the same results?

GenericUser · September 8, 2023, 10:04am

Their web site lists dedyn.io as blocked due to information from “ThreatSTOP”:

dedyn.io

Blocked

Threat Intelligence Providers who have listed this domain
▸ ThreatSTOP 

You shouldn’t use a censoring DNS resolver. It always seems like a good idea at first, but it always turns out badly.

Side note: Is it an honor to have your domain blocked by the inventor of DNS himself, Paul Mockapetris, who is chief scientist at ThreatSTOP? “You either die a hero, or live long enough to see yourself become the villain.”

nils · September 9, 2023, 6:57am

We have reached out to Quad9 and ThreatSTOP, who have removed dedyn.io from the blocklist and made sure that going forward, dedyn.io will be treated as a public suffix, i.e. individual dedyn.io domains won’t be held responsible for malware available via sibling domains.

That being said, deSEC support works hard to disconnect domains that are used for illegal purposes, according to Sec. 5 of our Terms and Conditions. If you have evidence abuse of our service, please contact support@desec.io immediately.

Best,
Nils

(edit PT: typo)

vgk · September 14, 2023, 6:51am

Dosen’t ThreatSTOP use the public suffix list?