Both Storeman and Openrepos.net blocked by Cloudflare DNS Malware protection

I have found a funny thing. When I have setup the Cloudflare DNS malware protection on the firewall to IP address like e.g. 1.1.1.2 or 1.1.1.3 suddenly on all of my 4 phones with SailfishOS at home stopped working Storeman App and also the website openrepos.net.

Maybe the reason is, that the hosting provider of Hetzner Online GmbH has some bad reputation.

When I changed the DNS malware protection to DNS4EU, which basically offers same level of protection on IP addresses like 86.54.11.11 or 86.54.11.211 Storeman works normally.

Hetzner hosts half of Germany. At least most businesses have some external fallback stuff there.

I don’t think that’s the reason.

I was also surprized and spent a few hours to find, what is going on and why it stopped working. Now you can look here and here.

I have tried to search for it and found, that “Hetzner is a popular, cost-effective host, it is heavily used by malicious actors for botnets, DDoS attacks, and spamming. Cloudflare’s WAF often flags the entire ASN or subnets as high-risk, resulting in Error 1020 (Access Denied) or automatic CAPTCHA challenges.”

“DNS4EU typically blocks a domain if it is verified to be hosting malicious content (e.g., threat intelligence reports). It does not care that a site is hosted on Hetzner; it cares if the website is malicious.”

Are they also blocking OVH and others or just targeting Hetzner for some reason?

What sort of firewall is this?
It’s not unusual that such features do not work as advertised.
In any case, you don’t have to use CF’s DNS.

Not only Germany.

I have the same problem with MullvadVPN. When I use my VPN, most of the time I cannot reach Storeman/openrepos

Must be an issue with mullvad or your net provider. My VPN (OVPN) have no problem with Storeman/openrepos.

Where are they getting their blocklists from?

I don’t know. In the Mullvad settings, I even tried turning all the DNS-filtering stuff off and it still didn’t work unfortunately

Could be either Mullvad being stupid about it or some behind-the-scenes firewall thinking you’re a maliciious actor. Hard to say without more info.

All I know is that OP’s suspicion of Hetzner having bad reputation is wrong.

I actually believe it’s this, because even after disabling every filter in Mullvad it still didn’t work

@NIS Try to use linux command “nslookup [webserver]”. It is a good tool for checking if your firewall or ISP is preventing a domain from resolving to an IP address.

Many modern VPNs (like NordVPN or Windscribe) include built-in ad-blockers, malware filters, or “Threat Protection” that can inadvertently block legitimate sites.

@ohnonot I wrote this post, because Cloudflare is one of the biggest, and they blocking Openrepos and many other legitimate sites, once you choose their protective DNS servers, like those 1.1.1.2 or 1.1.1.3 I have mentioned.

Of course, if you choose their non-protective DNS 1.1.1.1. of 1.0.0.1 there is no filter, no protection at all, and everything works. Advantage of those DNSes like 1.1.1.3 is, that they block also Adult content, which is really good for protecting children in the house. Definitely there are also other protective services like DNS4EU, Quad9, AdGuard etc.

@neo751 Isn’t it possible to use the unsecured ips for just openrepos? Can’t you, at least at home, route those specific requests differently?
I am not an expert, but this should be possible, I guess.?

Ah, there it is. My guess is that their blocklists simply suck and they can’t be arsed to look into it for something European.

there are also other protective services like DNS4EU, Quad9, AdGuard etc.

At least one of them uses properly curated blocklists, as you noticed. Probably others, too.