When using Brave Browser, I am occasionally getting a notice of a blocked URL

The URL is https:// exnihilio. dnshome. de/ ar-io / healthcheck
(With spaces added to break the link)

Does anyone know anything about this site or why it is blacklisted? I tried running it through an online website checker https:// sitecheck. sucuri. net/ and it finds no problems.

Anyone heard about this one before?

Hello @RudyK
Did you submit F/P report?

Submit a file or URL to Norton for review
https://support.norton.com/sp/en/ie/home/current/solutions/kb20090410134005EN

==================================

The URL https://exnihilio.dnshome.de/ar-io/healthcheck is an API endpoint used to check the operational status and health of the “Exnihilio” Arweave gateway. This endpoint typically provides metrics such as operational status, connectivity, performance, and configuration details to verify the gateway’s functionality and reliability. For more details, visit AR.IO Documentation https://docs.ar.io/apis/ar-io-node/gateway.

=====================================

The URL https://exnihilio.dnshome.de/ar-io/healthcheck is associated with a specific, community-run Arweave gateway, and Brave Browser likely flags it due to its domain name rather than any inherent malicious activity.

Here is some context regarding the notice you are seeing:
Why Brave Might Block It
Brave Browser employs robust privacy and security features, including blocklists managed by their team and integrated third-party lists (like EasyList or Peter Lowe’s list). The block is likely happening for one of two reasons:

1. Dynamic DNS Domain Usage: The domain dnshome.de is a free dynamic DNS service. These services are sometimes broadly blocklisted by privacy tools because they are frequently abused by malware operators, scammers, or for tracking purposes. Brave’s protection sees the domain pattern and blocks access as a precautionary measure across the board, even if the specific subdomain exnihilio is harmless.
2. Telemetry/Health Check Function: The endpoint /ar-io/healthcheck is designed to report the health of the gateway to monitoring services or the AR.IO network operators. These types of automated “phone-home” or health check requests can sometimes resemble tracking activity to strict privacy filters, triggering a block.

The Site’s Purpose
This specific URL is a legitimate API endpoint for checking the operational status of an Arweave gateway (a node in a decentralized storage network). It is not designed for general browsing.

The Sucuri site checker found no problems because the site itself is likely not compromised with traditional malware, but rather the domain provider falls into a category that privacy browsers choose to block entirely to be safe.

What You Can Do
If you trust the link and need to access the content (or if it’s interfering with an application you use), you can usually disable the block for that specific site or the entire domain within the Brave settings:

• Click the Brave Shields icon in the address bar and adjust the settings (e.g., changing ‘Trackers & ads blocking’ from ‘Aggressive’ to ‘Standard’, or specifically allowing the domain).

=========================================

https://exnihilio.dnshome.de/ar-io/healthcheck

image600×472 85.7 KB

image576×718 37.7 KB

image506×150 46.8 KB

=============================

image658×264 69 KB

image569×332 80.6 KB

============================

Sucuri

image686×382 73.4 KB

===========================

VirusTotal

image1295×192 22.4 KB

=========================

fwiw ~ as test: Norton 360 Safe Web disabled

image1920×679 47.1 KB

=========================

image652×266 67.8 KB

image1920×812 56.1 KB

========================

The URL https://exnihilio.dnshome.de/ serves as an Arweave gateway operated by “Exnihilio”. An Arweave gateway provides a connection point for interacting with the decentralized Arweave permaweb. The use of dnshome.de https://www.dnshome.de/, a free dynamic DNS service, indicates that the gateway is likely hosted from a location with a dynamic IP address. For more information, visit Exnihilio https://exnihilio.arweave.net/.

An Arweave gateway serves as a bridge between user applications and the underlying Arweave network (the permaweb). It provides a user-friendly interface for storing and retrieving permanent data, performing essential functions like data retrieval, caching, indexing, and serving content at scale, which the core Arweave nodes (miners) are not optimized for.

Key Functions

• Data Retrieval and Serving: Gateways retrieve data from Arweave mining nodes and serve it to end-users and applications efficiently, often through standard HTTP requests.
• Caching: To ensure fast access and a smooth user experience similar to the traditional web, gateways cache frequently accessed data, reducing the load on the main network.
• Indexing and Querying: They index transaction data into searchable databases, allowing developers and users to easily discover and query information using tools like GraphQL, rather than needing a specific transaction ID.
• Transaction Processing: Gateways facilitate the process of uploading data by proxying transactions to miners and handling Layer 2 data items (bundles) efficiently.
• Human-Readable Names: They often integrate with services like the Arweave Name System (ArNS) to resolve human-readable domain names to complex Arweave transaction IDs, making content easier to find and share.
• Decentralization and Resilience: While early gateways like arweave.net were centrally operated, modern approaches like the AR.IO network focus on a decentralized network of independently run gateways. This enhances network resilience by eliminating single points of failure and censorship resistance.

In essence, Arweave gateways abstract the complexities of the underlying blockchain, making the permanent web (permaweb) accessible and usable for everyday applications and users.

Running an Arweave gateway requires a combination of specific hardware, software, and general technical knowledge. The exact requirements can vary depending on whether you’re running a personal gateway (e.g., on a Raspberry Pi) or a production-level service in the cloud.

========================================

For more information, visit Exnihilio https://exnihilio.arweave.net/ .

image1920×926 62.7 KB

========================================

Note: AI sourced content may include mistakes

The short answer is no, I did not file a false positive report because I was not sure of the purpose of the attempted access of that website. I have only just started examining the issue by posting here and by disabling extensions one at a time. I have not noticed any negative effects of Norton blocking my access to that page, either.

To clarify, it was not Brave blocking access to that website, it was Norton’s URL blacklist.

Okay…I submitted F/P reports.

==================================

When Norton detects a URL as URL:Blacklist, it indicates that the specific web address (https://exnihilio.dnshome.de/ar-io/healthcheck) has been explicitly identified and added to a database of known dangerous or malicious websites.

What Does “URL:Blacklist” Mean?
This is a high-confidence detection. The website has likely been flagged by Norton for one or more of the following reasons:

• Known Malware Host: The site has been confirmed to distribute viruses, ransomware, or other types of malicious software.
• Phishing Site: It might be impersonating a legitimate service to steal credentials or financial information.
• Spam Origin: The domain may be associated with distributing high volumes of spam or unwanted communication.
• Poor Reputation: The overall activity associated with the domain is deemed harmful to users based on community reports and automated analysis.

Recommended Actions
Since the site is blacklisted, you should treat it as a significant security threat.

1. Block the Connection: Norton is actively protecting you by blocking access. Do not attempt to add an exception or force a connection unless you are the site owner and have verified the issue is resolved.
2. Verify System Safety: Run a complete Norton security scan immediately to ensure that no existing infections on your device are attempting to connect to this blacklisted URL.
3. Review Network Activity: If this URL appeared without you actively trying to visit it (e.g., in a log file or as background activity), it might indicate compromised software or a potentially unwanted application (PUA) running on your system trying to communicate with a command-and-control server.

If You Believe It Is a Mistake (False Positive)
If you are certain this URL is for a legitimate and safe service (e.g., an internal application health check you manage), it might have been mistakenly added to the blacklist.

• You must report this detection as a false positive to Norton for review.
• Use the official submission form to have the URL re-evaluated.
• If Norton verifies the site is safe, they will remove it from the blacklist in a subsequent update.

=======================================

fwiw ~ at this time:

image658×216 23.6 KB

image415×142 2.63 KB

image441×132 29.9 KB

==============================

The URL https://exnihilio.dnshome.de/ar-io/healthcheck is an API endpoint used to check the operational status and health of the “Exnihilio” Arweave gateway. This endpoint typically provides metrics such as operational status, connectivity, performance, and configuration details to verify the gateway’s functionality and reliability. For more details, visit AR.IO Documentation https://docs.ar.io/apis/ar-io-node/gateway.

Norton’s classification of https://exnihilio.dnshome.de/ar-io/healthcheck as URL:Blacklist means their security systems have identified the URL or the underlying domain as a known security risk, regardless of its intended purpose as an API health check endpoint.

While the description clarifies the endpoint’s function (checking operational status, connectivity, and performance metrics for the “Exnihilio” Arweave gateway), the security alert indicates a mismatch between the intended use and Norton’s security assessment.

Why a Legitimate API Might Be Blacklisted
Even with legitimate functionality documented in the AR.IO Documentation, a domain can end up on a blacklist for several reasons:

• Shared Infrastructure Risk: The dnshome.de domain is a dynamic DNS provider, which is sometimes abused by malicious actors to frequently change IP addresses associated with command-and-control servers or malware distribution points. The entire provider’s subdomain might have a poor reputation score due to the actions of other users.
• False Positive on Content: Automated scanners might misinterpret the metrics or data returned by the healthcheck API endpoint as suspicious data traffic.
• Previous Compromise: The server hosting the gateway might have previously been compromised with malware, leading to a lingering blacklist entry even after the threat was remediated.

Next Steps to Resolve the Blacklist Status
If the endpoint is safe and essential for monitoring, you (or the administrator of the Exnihilio gateway) need to formally request a review from Norton to clear the domain’s reputation:

1. Submit a False Positive Report: The only way to remove a site from the global blacklist is to submit a request to Norton’s threat analysis team. Use the official Norton False Positive Submission portal.
2. Provide Context: In the submission, explain the function of the endpoint, referencing the AR.IO Documentation you provided.
3. Wait for Review: Norton security analysts will manually review the URL and its behavior. If they determine it is safe, they will remove the URL:Blacklist classification in their next database update, which usually takes 24-48 hours.

Until the review is complete and the status is cleared, Norton products will continue to block access to this URL as a security precaution.

Caveat: I’m not familiar with “Exnihilio” Arweave gateway.

Note: AI sourced content may include mistakes

fwiw ~ no change at this time:

I was hesitant to file a false positive report because I wasn’t sure about the source of the access attempts.
As of right now, I have traced the problem to an Arweave wallet app called Wander. I disabled that extension for about 36 hours and have not seen an access attempt since.

I am going to contact the Wander team and see if I can get a confirmation about the legitimacy of the URL.

Thanks for sharing your progress.

Thank you as well for helping to dig into this! I’ve sent an email to Wander and will report back when I hear from them.

fwiw ~ no change at this time:

No response from the Wander team either, at least not yet.

Security tools like Norton often flag that URL because it behaves like an automated “healthcheck” endpoint coming from a dynamic‑DNS host, which matches patterns commonly used by malware callbacks—even if the site itself is clean.
Norton’s block appears to be a reputation-based or heuristic detection rather than evidence of an actual infection.

Dynamic DNS domains often trigger heuristic blocks

• The domain uses dnshome.de, a dynamic‑DNS service.
• Malware frequently uses dynamic‑DNS hosts for command‑and‑control callbacks.
• Security products sometimes block these domains by reputation alone, even when the specific host is harmless.

The path/ar-io/healthcheck looks like a beacon or heartbeat

• “Healthcheck” endpoints are commonly used by:
  • Monitoring tools
  • IoT devices
  • Malware checking in with a server
• Norton may treat this as a suspicious “callback” pattern.

No known malware or issues found by independent scanners

• A user who investigated the same URL reported that Sucuri found no problems.
• ScamAdviser rates the domain as likely legit with a high trust score (91/100).

Norton is known for false positives on unusual URLs

• Norton sometimes flags:
  • Autodiscover files
  • Uncommon endpoints
  • Low‑traffic domains
• Even when the site is clean, Norton may block it due to low reputation or unusual behavior patterns.

What This Means for You
Most likely: a false positive
There is no evidence that the URL is malicious. The block is probably due to:

• Low traffic / low reputation
• Dynamic DNS hosting
• A path resembling a “heartbeat” or “callback”

But you should still check why your system is contacting it
If your browser or device is hitting that URL without you knowing:

• It could be a legitimate app or extension performing a check.
• Or it could be an unwanted background process.

What You Can Do
Run a full malware scan (just to be safe)
Even though the URL appears clean, unexpected outbound requests should be checked.

Check your browser extensions
Disable anything you don’t recognize.

Look for software on your system that might use that endpoint
It could be:

• A self‑hosted service
• A developer tool
• A monitoring script
• A leftover configuration

If you control the server
You can whitelist it in Norton, but only if you’re certain it’s safe.

Note: AI sourced content may include mistakes