Access to update.ixsystems.com blocked by ThreatSTOP and Quad9

Confirmed. Seeing this behavior on a Quad9 setup here (OPNSense, DNS over TLS).

If anyone’s curious (because Google’s AI will lie and the top results are outdated), you can find the Quad9 domain tester here: Blocked Domain Tester | Quad9

image1778×1146 247 KB

@Dominick_Storj It’s a different Threat Intelligence Provider this time.

I used the Support form on their website and sent in a report about what’s going on. I’ve got a support ticket now.

This started working again, and now failing again.
Checking the Blocked Domain Tester @ quad9 shows link.storjshare.io is blocked again.

Failing for me today, I use a mix of Cloudflare and quad9 for my pfsense DNS.

 Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/aiohttp/connector.py", line 1317, in _create_direct_connection
    hosts = await self._resolve_host(host, port, traces=traces)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/connector.py", line 971, in _resolve_host
    return await asyncio.shield(resolved_host_task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/connector.py", line 1002, in _resolve_host_with_throttle
    addrs = await self._resolver.resolve(host, port, family=self._family)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/resolver.py", line 38, in resolve
    infos = await self._loop.getaddrinfo(
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/base_events.py", line 868, in getaddrinfo
    return await self.run_in_executor(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/socket.py", line 962, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -2] Name or service not known

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/api/base/server/ws_handler/rpc.py", line 323, in process_method_call
    result = await method.call(app, params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/api/base/server/method.py", line 52, in call
    result = await self.middleware.call_with_audit(self.name, self.serviceobj, methodobj, params, app)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 911, in call_with_audit
    result = await self._call(method, serviceobj, methodobj, params, app=app,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 731, in _call
    return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 624, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 178, in nf
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/update.py", line 105, in get_trains
    trains_data = self.middleware.call_sync('update.get_trains_data')
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1030, in call_sync
    return self.run_coroutine(methodobj(*prepared_call.args))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1070, in run_coroutine
    return fut.result()
           ^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/_base.py", line 449, in result
    return self.__get_result()
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/_base.py", line 401, in __get_result
    raise self._exception
  File "/usr/lib/python3/dist-packages/middlewared/plugins/update_/trains.py", line 63, in get_trains_data
    **(await self.fetch(f"{self.update_srv}/trains.json"))
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/update_/trains.py", line 25, in fetch
    async with client.get(url) as resp:
  File "/usr/lib/python3/dist-packages/aiohttp/client.py", line 1359, in __aenter__
    self._resp: _RetType = await self._coro
                           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/client.py", line 663, in _request
    conn = await self._connector.connect(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/connector.py", line 563, in connect
    proto = await self._create_connection(req, traces, timeout)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/connector.py", line 1032, in _create_connection
    _, proto = await self._create_direct_connection(req, traces, timeout)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aiohttp/connector.py", line 1323, in _create_direct_connection
    raise ClientConnectorDNSError(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorDNSError: Cannot connect to host update.ixsystems.com:443 ssl:default [Name or service not known]

I got a reply from Quad9 today.

TLDR:
Storj .io does not have an “report abuse” link on their website which is a requirement by Quad9 to mark them as permanently excluded from upstream thread feeds.

Nonetheless it seems that Quad9 now marked them as “safe” despite not having the “report abuse” link on their website.

So it should work now and for the future.

Detailed answer was posted here:

Got the same response to a ticket I opened.

Earlier this year, we informed Storj.io that all that was needed for Quad9 to set a permanent exclusion for this FQDN was to add a “Report Abuse” link to the footer of their website, which is a common practice for CDNs, and would only serve to help Storj.io by encouraging netizens to report any malicious files to them directly, as opposed to reporting them to threat lists.

Quad9 initially tried getting this removed as a false positive with one of our threat intelligence partners, but this kept filtering down from various upstream threat feeds 0, and it became a game of whack-a-mole. We had no idea this was going to be a multi-week episode.

We’ve added a permanent exclusion for link.storjshare.io, despite Storj.io not complying with our requirement.

We apologize for any inconvenience caused.

I’m glad this is resolved now, but the whole thing feels unseemly.

@HoneyBadger Is it possible for TrueNAS (the entity) to inquire with Storj.io why they chose not to comply with Quad9’s request? This whole (ongoing) episode feels more than a bit un-transparent on Storj’s part, especially for a paid service integrated into TrueNAS.