TLDs are not being blocked anymore when using OpenWrt NextDNS package

[quantumpacket]

Context

• CLI Version: 1.37.10-1
• Platform: OpenWrt 21.02.2

This issue just recently started to happen.

I have all TLDs blocked via the Security - Block Top-Level Domains (TLDs) settings, minus a few common ones. So for example I have:

However, when I access a .br domain when running on WiFi the site is allowed. When I switch over to LTE and no longer use the router the site is blocked. Example below, the bottom request is when using WiFi, and the top is when using LTE.

I just don't understand why one request is being allowed and the other is not, as it's the same NextDNS config being used for both those requests. Rebooting the router and/or restarting the NextDNS service has no effect. Other settings are being properly honored no matter if I'm on WiFi or LTE, and show up as being blocked correctly. It just seems to be effecting TLDs.

Even weirder, is if I add the above domain to my denylist it will block correctly in both cases.

[crssi]

Because in that case the TLD is .com.br and not .br... see https://publicsuffix.org/list/effective_tld_names.dat

NextDNS should update TLDs, but to resolve your problem, you could add com.br to your Denylist.

Unfortunatelly for the completeness ATM, you would need to add all of the following, since NextDNS will not allow to add only br to Denylist:

9guacu.br
abc.br
adm.br
adv.br
agr.br
aju.br
am.br
anani.br
aparecida.br
app.br
arq.br
art.br
ato.br
b.br
barueri.br
belem.br
bhz.br
bib.br
bio.br
blog.br
bmd.br
boavista.br
bsb.br
campinagrande.br
campinas.br
caxias.br
cim.br
cng.br
cnt.br
com.br
contagem.br
coop.br
coz.br
cri.br
cuiaba.br
curitiba.br
def.br
des.br
det.br
dev.br
ecn.br
eco.br
edu.br
emp.br
enf.br
eng.br
esp.br
etc.br
eti.br
far.br
feira.br
flog.br
floripa.br
fm.br
fnd.br
fortal.br
fot.br
foz.br
fst.br
g12.br
geo.br
ggf.br
goiania.br
gov.br
ac.gov.br
al.gov.br
am.gov.br
ap.gov.br
ba.gov.br
ce.gov.br
df.gov.br
es.gov.br
go.gov.br
ma.gov.br
mg.gov.br
ms.gov.br
mt.gov.br
pa.gov.br
pb.gov.br
pe.gov.br
pi.gov.br
pr.gov.br
rj.gov.br
rn.gov.br
ro.gov.br
rr.gov.br
rs.gov.br
sc.gov.br
se.gov.br
sp.gov.br
to.gov.br
gru.br
imb.br
ind.br
inf.br
jab.br
jampa.br
jdf.br
joinville.br
jor.br
jus.br
leg.br
lel.br
log.br
londrina.br
macapa.br
maceio.br
manaus.br
maringa.br
mat.br
med.br
mil.br
morena.br
mp.br
mus.br
natal.br
net.br
niteroi.br
nom.br
not.br
ntr.br
odo.br
ong.br
org.br
osasco.br
palmas.br
poa.br
ppg.br
pro.br
psc.br
psi.br
pvh.br
qsl.br
radio.br
rec.br
recife.br
rep.br
ribeirao.br
rio.br
riobranco.br
riopreto.br
salvador.br
sampa.br
santamaria.br
santoandre.br
saobernardo.br
saogonca.br
seg.br
sjc.br
slg.br
slz.br
sorocaba.br
srv.br
taxi.br
tc.br
tec.br
teo.br
the.br
tmp.br
trd.br
tur.br
tv.br
udi.br
vet.br
vix.br
vlog.br
wiki.br
zlg.br

[quantumpacket]

I thought that may have been the case, but it's not. That example I gave was probably a bad one to give. Also, that does not explain why one request it allowed and the other it denied. See even the tool-tip popup, showing the TLD was the reason for the block.

[quantumpacket]

I went through the TLD blocklist, and tried accessing random TLDs and they were randomly being blocked or allowed, when they should have all been blocked. This erratic behavior is indicating to me that it might not be a NextDNS client issue, but something instead on the back-end in regards to the TLD blocking.

The requests are clearly making it to the NextDNS server as the logs show it, but the logs also show TLDs that are blocked as being allowed. See this example, where all 3 should have been blocked as they are all blocked via the TLD blocking feature, but only 1 was. (this was all done through the NextDNS router client)

I have no way to even temporarily fix this as TLDs are not allowed to be added to the Deny List.

@rs Did I hit a cap on the amount of TLDs I can block?

---

Update:

Other people are reporting similar issues that all began within the past week. So it appears something changed on the server that broke TLD blocking.

• https://help.nextdns.io/t/p8hbltn/jp-tld-block-not-working
• https://help.nextdns.io/t/g9hbz39/nextdns-stopped-blocking-restricted-tld-on-iphone

[rs]

We found the issue and fixed it.