1

Recently our server logs have been showing lots of requests to urls like the following:

https://*.example.com/doh/family-filter

and

https://*.example.com/doh?dns=DUIBAAABAAAAA...

(with our domain instead of example.com)

I noticed that some of the paths, e.g.doh/family-filter, match those of CleanBrowsing DNS filters. However, I haven't been able to find any more useful information.

Presumably they are attempting some kind of exploit of DNS-over-HTTPS (DoH).

Can someone explain what these people are hoping to achieve?

Improve this question

1 Answer 1

Reset to default
1

We may never know what exactly the requestor was trying to achieve, but some of the reasons could be:

  1. They have found a vulnerability in the CleanBrowsing filters that they want to abuse.

  2. They want to determine which/how many domain names are using the CleanBrowsing filter

  3. The requests are originating from CleanBrowsing itself to populate their filters, e.g. by automatically analyzing the contents of your domains.

  4. Is is a misconfiguration that attempts to access the family filter through your domain name.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.