Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it

    Scheduled Pinned Locked Moved General pfSense Questions
    41 Posts 9 Posters 14.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LannaL
      Lanna @johnpoz
      last edited by Lanna

      @johnpoz Thanks for that list, I'll study that. In fact I'll evaluate the efficacy of that list in place of the blanket block I currently test.

      https://www.youtube.com/watch?v=Fc87pw1aYPg

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        I also have put in some host overrides to resolve most of these fqdn to local IP that I block, and log - so I can see what IP might be trying to hit it

        local-zone: "use-application-dns.net"  always_nxdomain
        local-zone: "local."  always_nxdomain
        local-data: "dns.adguard.com. 120 IN A 172.19.19.19"
        local-data: "dns-family.adguard.com. 120 IN A 172.19.19.19"
        local-data: "dns.google. 120 IN A 172.19.19.19"
        local-data: "cloudflare-dns.com. 120 IN A 172.19.19.19"
        local-data: "dns.quad9.net. 120 IN A 172.19.19.19"
        local-data: "dns9.quad9.net. 120 IN A 172.19.19.19"
        local-data: "dns10.quad9.net. 120 IN A 172.19.19.19"
        

        It is much longer than that - but really need to work out a more elegant way than just entries in unbound.. Just haven't gotten around to it yet.. And nothing has hit any of my rules.. I always make sure sure its turned off any browser I use..

        see my edit above for a github list that lists many of the fqdn used..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        A 2 Replies Last reply Reply Quote 0
        • LannaL
          Lanna
          last edited by

          I tested the list at https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4
          Unfortunately, Chrome immediately started sending queries to 162.158.161.161 in Singapore and bypassing my countermeasures.

          https://www.youtube.com/watch?v=Fc87pw1aYPg

          1 Reply Last reply Reply Quote 0
          • LannaL
            Lanna
            last edited by Lanna

            I realise Cloudflare cannot be using their entire IP space to serve up DNS, but they're clearly using a lot of IPs embedded in many, many subnets, either as a part of their design, or deliberately to obfuscate the target server for network admins.

            https://www.youtube.com/watch?v=Fc87pw1aYPg

            1 Reply Last reply Reply Quote 0
            • U
              Uglybrian
              last edited by

              Hi-
              How do you feel about using this list in PF Blocker https://heuristicsecurity.com/dohservers.txt.

              I know not everyone uses PF blocker, but how does a list of the DNS ip work for blocking when the query is sent out FQDN?

              1 Reply Last reply Reply Quote 0
              • LannaL
                Lanna
                last edited by Lanna

                I'm now playing with a host override in my DNS resolver, pointing cloudflare-dns.com at local IPs to monitor, as you suggest above. However, I am seeing completely different IPs being queried from Chrome, also with DNS leak test websites. If I do a DNS lookup from the gateway itself, on those Cloudflare FQDNs, the IPs returned are in the blocklist. IPs queried from Chrome are not in the blocklist. Chrome must be using a different, unknown FQDN

                https://www.youtube.com/watch?v=Fc87pw1aYPg

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  What exactly are you settings in chrome? So you have it on purpose set to try and use doh, and your trying to block it?

                  You have it set like this

                  setlikethis.png

                  If so, I can do that and look to see what its doing.. Logging all traffic coming from the machine.. with a sniff.

                  And see if dns works.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  LannaL 1 Reply Last reply Reply Quote 0
                  • LannaL
                    Lanna @johnpoz
                    last edited by Lanna

                    @johnpoz Yes, Chrome DoH set to use system DNS, host machine set to use 1.0.0.1 and 1.1.1.1

                    This particular machine in Bangkok keeps using IP 162.158.161.161 when using DNS leak test website

                    https://www.youtube.com/watch?v=Fc87pw1aYPg

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Show me the setting you have set, like I have above - you have the other setting set..

                      And how your seeing that IP is from a leaktest.. I think your not understanding how those tests work.. Then.. Just because you see an IP there doesn't mean your client talked to that IP..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      LannaL 2 Replies Last reply Reply Quote 0
                      • LannaL
                        Lanna @johnpoz
                        last edited by

                        @johnpoz I have experimented with all the setting variants i.e. like in your screenshot above, and the other "current provider" setting. It appears to have the same result. If I choose Google, or CleanBrowsing, my countermeasures work. However, with Cloudflare, it is extremely difficult to block as far as I can see, without blocking all of their IPs.

                        https://www.youtube.com/watch?v=Fc87pw1aYPg

                        1 Reply Last reply Reply Quote 0
                        • LannaL
                          Lanna @johnpoz
                          last edited by Lanna

                          @johnpoz said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                          I think your not understanding how those tests work.. Then.. Just because you see an IP there doesn't mean your client talked to that IP..

                          Perhaps so. I am merely using that leak test site as an easy reference to see if that endpoint is using the DNS provider I specify in the gateway, or Cloudflare. It's ALWAYS Cloudflare without the blanket ban on Cloudflare IPs in place. You are correct in that I'm not understanding why this is so. I am trying to understand so I can remedy it.

                          https://www.youtube.com/watch?v=Fc87pw1aYPg

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            chrome is using this

                            chrome.cloudflare-dns.com

                            With the setting I had above..

                            added that to my block list, and no more chrome working for anything with that setting.

                            dontwork.png

                            If you want to know what its doing, and what IPs it talking to - vs those stupid leak tests.. Just sniff.. See right away where its going

                            clienthello.png

                            Those leak tests don't show you what IP the client talked to, they show you what IP ended up resolving the test fqdn they used... So it could be some IP upstream of where you asked that actually resolved it... Those tests are pointless scare tactics to get users to be scared -- OMG its "leak" without clue one to what actually is going on..

                            It never shows you 1.1.1.1 or 9.9.9.9 in those stupid tests.. It might show you your lame ISP dns if your using that - which NS uses the same IP to resolve with as it listens for queries on.. Small setups not enterprise or CDN setups..

                            The real problem here is users don't actually even understand what dns is or how it works - and if someone says hey your "leaking" they jump!!! OMG.... the man knows what I did a dns query for... The black helicopters are coming.. Without clue one to the basics of how any of it works in the first place... They can not tell you the difference between a forwarder or resolver, etc..

                            Sorry for the rant... Those dns leak tests don't do anything other than scare users to be honest.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            LannaL 1 Reply Last reply Reply Quote 0
                            • LannaL
                              Lanna @johnpoz
                              last edited by

                              @johnpoz Kudos!!! So it was indeed a previously unknown FQDN. That's sure going to make things easier for me.

                              https://www.youtube.com/watch?v=Fc87pw1aYPg

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Oh you got me started - sorry... The above example where I show how easy it is to see where you went in a simple sniff..

                                Should show these users.. They are so worried omg my ISP knows what websites I am going to... Hiding your dns doesn't stop them from knowing that.. Even encrypting it and sending it all to whereever..

                                They still see the IPs you go to, and right there in the freaking hello is what fqdn you were trying to hit.. Exact same info dns gives them..

                                So what are you doing other than handing all your dns to someone else, along with your ISP still having the info, and making your dns slower to boot.. But OMG a freaking leak<rolleyes>

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                1 Reply Last reply Reply Quote 1
                                • viktor_gV
                                  viktor_g Netgate
                                  last edited by

                                  https://redmine.pfsense.org/issues/10969 - feature request for adding https://github.com/Sekhan/TheGreatWall feeds to pfBlockerNG

                                  1 Reply Last reply Reply Quote 0
                                  • LannaL
                                    Lanna
                                    last edited by Lanna

                                    Just to update this topic, setting the following in my resolver's custom options. . .

                                    server:
                                    local-zone: "use-application-dns.net" always_nxdomain
                                    local-zone: "cloudflare-dns.com" static
                                    

                                    . . . and adding the following IP lists to the firewall as blocked aliases. . .

                                    https://public-dns.info/nameservers.txt
                                    https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4

                                    . . . completely hamstrings Firefox and Chrome's attempts to use DoH. I'm sure they will find new ways to screw with network admins, but for the time being, this appears to be highly effective, while keeping things pretty neat and tidy. This is what I am deploying on my production network.

                                    NOTE: Anyone reading this, don't just throw this into your config and forget. You MUST also have the DNS redirects to your local resolver/forwarder in place first.

                                    https://www.youtube.com/watch?v=Fc87pw1aYPg

                                    bingo600B LannaL 2 Replies Last reply Reply Quote 5
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      @Lanna said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                                      local-zone: "cloudflare-dns.com" static

                                      That is a great solution.. Since you set it static, unbound will not try to resolve any subdomains of that be it the Mozilla or the chrome one..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        Tzvia @Raffi_
                                        last edited by

                                        @Raffi_
                                        Yea, that "managed environment..." seems to work for domain aware devices. I imported their Active Directory settings into my home domain (Windows Server 2016), and it comes up as disabled by default on domain members. I did turn off the Chrome DNS function via their policy additions anyway (and disabled DOT in Firefox too using their extensions). I then turned my attention to the non-domain stuff so added a NAT redirect for 53 on my IOT VLAN to catch all the 53 to 8.8.8.8 and redirect to my DNS, and don't allow 853 to the internet. DOH from the non-domain-joined IOT was still an issue, so I just setup Lanna's suggestion of the two block lists and the local-zone setting.

                                        This seems like a lot of work to stop software from doing something against my wishes. I was using DOT for a bit but decided I was still handing over my my browsing history to some company so I am just letting the router do the resolving to root servers now.

                                        Feels like a cat and mouse game, or wack a mole...

                                        Tzvia

                                        Current build:
                                        Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
                                        16 gigs ram
                                        500gig WD Blue nvme
                                        Using modded BIOS (enabled CSTATES)
                                        PFSense 2.72-RELEASE
                                        Enabled Intel SpeedShift
                                        Snort
                                        PFBlockerNG
                                        LAN and 5 VLANS

                                        1 Reply Last reply Reply Quote 1
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          @Tzvia said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                                          Feels like a cat and mouse game, or wack a mole...

                                          Concur - its really no better than the spammer changing their tactics to find a way to get their spam to users through corp filtering.. Now its the likes of google and cloudflare.. We will get your users data someway, no matter what you say corp IT..

                                          They really want to send us their data, honest they do because we told them you were spying on their dns.. You know on the network you own and run, and them using the device you gave them to work with.. They clearly need to be able to resolve shop.tld

                                          Oh you don't really want that to happen corp IT.. Here

                                          hoop.jpg

                                          JUMP!

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • viktor_gV
                                            viktor_g Netgate
                                            last edited by

                                            Anyway, TheGreatWall feeds are added to the latest version of pfBlockerNG-devel:

                                            Screenshot from 2020-10-16 08-23-24.png
                                            Screenshot from 2020-10-16 08-25-13.png
                                            Screenshot from 2020-10-16 08-25-26.png

                                            1 Reply Last reply Reply Quote 2
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.