Why is someone requesting /doh/family-filter and similar paths?

Question

Recently our server logs have been showing lots of requests to urls like the following:

https://*.example.com/doh/family-filter

and

https://*.example.com/doh?dns=DUIBAAABAAAAA...

(with our domain instead of example.com)

I noticed that some of the paths, e.g.doh/family-filter, match those of CleanBrowsing DNS filters. However, I haven't been able to find any more useful information.

Presumably they are attempting some kind of exploit of DNS-over-HTTPS (DoH).

Can someone explain what these people are hoping to achieve?

score 1 · Answer 1 · answered Aug 07 '22 at 15:55

We may never know what exactly the requestor was trying to achieve, but some of the reasons could be:

They have found a vulnerability in the CleanBrowsing filters that they want to abuse.
They want to determine which/how many domain names are using the CleanBrowsing filter
The requests are originating from CleanBrowsing itself to populate their filters, e.g. by automatically analyzing the contents of your domains.
Is is a misconfiguration that attempts to access the family filter through your domain name.

Why is someone requesting /doh/family-filter and similar paths?

1 Answers1