The service was blocking our grapheneos.network connectivity check server for a period of time yesterday/today. It was unblocked after users reported it. It's very strange and I think it reflects quite badly on their processes for blocking supposed malware domains.
Conversation
I'd really like to know why a domain using DNSSEC and running an HTTP / HTTPS server serving empty 204 responses for /generate_204 was blocked.
It doesn't serve anything else beyond redirects to grapheneos.org/faq#default-co for /, a static MTA-STS configuration and 404 responses...
Replying to
The grapheneos.online domain wasn't blocked but we hadn't yet started using it for one of the fallback URLs.
If you run into a similar issue with content filtering, you can use the toggle we added to use the standard Google servers for connectivity / captive portal checks.
1
2
Enumerating badness is not just an unworkable approach but inflicts serious collateral damage. Have had multiple users fall behind on updates, etc. from these kinds of issues. Drains development time too.
Safe Browsing and assorted content filtering lists have the same issues.
2