I am using an Eero Pro 6 device for my home wifi connection.
The "Eero Secure" product offers to let you block certain domains. I have entered "reddit.com" in the block list, and it seems to work:
$ nslookup reddit.com
Server: 192.168.4.1
Address: 192.168.4.1#53
Non-authoritative answer:
Name: reddit.com
Address: 192.168.4.1
192.168.4.1 is my routers IP address, and ends up redirecting to https://blocked.eero.com. All is good here, and this is what I want.
The trouble is that Safari (on my Mac, iPad, and iPhone) seems to find a way around this, and is able to load reddit.com without issue. No amount of dscacheutil -flushcache
, Develop -> Empty Caches, rebooting, resetting safari, etc – nothing seems to work.
Does anyone have any ideas? Here is my scutil -dns
:
DNS configuration
resolver #1
nameserver[0] : 192.168.4.1
if_index : 9 (en0)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
nameserver[0] : 192.168.4.1
if_index : 9 (en0)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
edit: forgot to point out that I am using macOS Big Sur, and iOS/iPadOS 14.
Best Answer
Safari is not doing anything untoward here. My DNS based block for reddit.com worked fine - but not www.reddit.com, old.reddit.com (even though the Eero block includes subdomains), and so on. From the command line:
Because of that, I expected Safari to resolve www.reddit.com to 192.168.4.1. However, www.reddit.com (and others like old.reddit.com) are actually CNAMEs:
So, it looks like Safari looks up www.reddit.com, sees that it is a CNAME for reddit.map.fastly.net, and then resolves reddit.map.fastly.net and is able to load the page - while displaying www.reddit.com in the URL bar.
I am not saying Safari is doing anything wrong here - this seems like totally reasonable behavior - it was just unexpected to me.
I have now added a DNS block for reddit.map.fastly.net, and everything works as expected.