Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it

    Scheduled Pinned Locked Moved General pfSense Questions
    41 Posts 9 Posters 14.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LannaL
      Lanna @johnpoz
      last edited by

      @johnpoz Kudos!!! So it was indeed a previously unknown FQDN. That's sure going to make things easier for me.

      https://www.youtube.com/watch?v=Fc87pw1aYPg

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Oh you got me started - sorry... The above example where I show how easy it is to see where you went in a simple sniff..

        Should show these users.. They are so worried omg my ISP knows what websites I am going to... Hiding your dns doesn't stop them from knowing that.. Even encrypting it and sending it all to whereever..

        They still see the IPs you go to, and right there in the freaking hello is what fqdn you were trying to hit.. Exact same info dns gives them..

        So what are you doing other than handing all your dns to someone else, along with your ISP still having the info, and making your dns slower to boot.. But OMG a freaking leak<rolleyes>

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • viktor_gV
          viktor_g Netgate
          last edited by

          https://redmine.pfsense.org/issues/10969 - feature request for adding https://github.com/Sekhan/TheGreatWall feeds to pfBlockerNG

          1 Reply Last reply Reply Quote 0
          • LannaL
            Lanna
            last edited by Lanna

            Just to update this topic, setting the following in my resolver's custom options. . .

            server:
            local-zone: "use-application-dns.net" always_nxdomain
            local-zone: "cloudflare-dns.com" static
            

            . . . and adding the following IP lists to the firewall as blocked aliases. . .

            https://public-dns.info/nameservers.txt
            https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4

            . . . completely hamstrings Firefox and Chrome's attempts to use DoH. I'm sure they will find new ways to screw with network admins, but for the time being, this appears to be highly effective, while keeping things pretty neat and tidy. This is what I am deploying on my production network.

            NOTE: Anyone reading this, don't just throw this into your config and forget. You MUST also have the DNS redirects to your local resolver/forwarder in place first.

            https://www.youtube.com/watch?v=Fc87pw1aYPg

            bingo600B LannaL 2 Replies Last reply Reply Quote 5
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              @Lanna said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

              local-zone: "cloudflare-dns.com" static

              That is a great solution.. Since you set it static, unbound will not try to resolve any subdomains of that be it the Mozilla or the chrome one..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • T
                Tzvia @Raffi_
                last edited by

                @Raffi_
                Yea, that "managed environment..." seems to work for domain aware devices. I imported their Active Directory settings into my home domain (Windows Server 2016), and it comes up as disabled by default on domain members. I did turn off the Chrome DNS function via their policy additions anyway (and disabled DOT in Firefox too using their extensions). I then turned my attention to the non-domain stuff so added a NAT redirect for 53 on my IOT VLAN to catch all the 53 to 8.8.8.8 and redirect to my DNS, and don't allow 853 to the internet. DOH from the non-domain-joined IOT was still an issue, so I just setup Lanna's suggestion of the two block lists and the local-zone setting.

                This seems like a lot of work to stop software from doing something against my wishes. I was using DOT for a bit but decided I was still handing over my my browsing history to some company so I am just letting the router do the resolving to root servers now.

                Feels like a cat and mouse game, or wack a mole...

                Tzvia

                Current build:
                Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
                16 gigs ram
                500gig WD Blue nvme
                Using modded BIOS (enabled CSTATES)
                PFSense 2.72-RELEASE
                Enabled Intel SpeedShift
                Snort
                PFBlockerNG
                LAN and 5 VLANS

                1 Reply Last reply Reply Quote 1
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  @Tzvia said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                  Feels like a cat and mouse game, or wack a mole...

                  Concur - its really no better than the spammer changing their tactics to find a way to get their spam to users through corp filtering.. Now its the likes of google and cloudflare.. We will get your users data someway, no matter what you say corp IT..

                  They really want to send us their data, honest they do because we told them you were spying on their dns.. You know on the network you own and run, and them using the device you gave them to work with.. They clearly need to be able to resolve shop.tld

                  Oh you don't really want that to happen corp IT.. Here

                  hoop.jpg

                  JUMP!

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • viktor_gV
                    viktor_g Netgate
                    last edited by

                    Anyway, TheGreatWall feeds are added to the latest version of pfBlockerNG-devel:

                    Screenshot from 2020-10-16 08-23-24.png
                    Screenshot from 2020-10-16 08-25-13.png
                    Screenshot from 2020-10-16 08-25-26.png

                    1 Reply Last reply Reply Quote 2
                    • bingo600B
                      bingo600 @Lanna
                      last edited by bingo600

                      @Lanna said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                      . . . and adding the following IP lists to the firewall as blocked aliases. . .

                      Trying to wrap my head around this one ...
                      Are you blocking everything to these IP's , or just 443 ??

                      Are you pointing the alias to the listfiles via this one ??

                      c491e146-5dd8-4da6-b124-aa6e9b008030-image.png

                      Thanx for doing this

                      I have setup my pfSense (unbound) to use (forward) all queries to use two Linux Bind9 servers i have locally (vlan100) , doing all the resolving.

                      They have to have "access to the root servers" UDP 53 , if i enable (dns) portforwarding on vlan 100 , can i make an exception for these two so they're not redirected ?

                      I'm already handing out pfSense IF as DNS via dhcp to clients , and blocking
                      53/853 to other(s). No UDP 53 portredirect yet.

                      I'm not that intertested in pfblocker-ng , i use Pihole (also vlan 100) for "scrubbing" my mobile devices.

                      So i suppose i have 4 local ip's i'd like to prevent from being redirected.

                      local DNS1 - A root server access
                      local DNS2 - A root server access

                      pihole - Allow dns from Phone vlan + Mmedia Vlan

                      Express-VPN ATV DNS - Allow dns to this one from my ATV's on Mmedia vlan

                      /Bingo

                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      LannaL 1 Reply Last reply Reply Quote 0
                      • LannaL
                        Lanna @bingo600
                        last edited by

                        @bingo600 said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                        @Lanna said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                        Are you blocking everything to these IP's , or just 443 ??

                        I am blocking all ports to those IPs, but adjust to your liking

                        Are you pointing the alias to the listfiles via this one ??

                        That's right, I am using the URL Table option

                        https://www.youtube.com/watch?v=Fc87pw1aYPg

                        1 Reply Last reply Reply Quote 3
                        • LannaL
                          Lanna @Lanna
                          last edited by

                          @Lanna said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                          Just to update this topic, setting the following in my resolver's custom options. . .

                          server:
                          local-zone: "use-application-dns.net" always_nxdomain
                          local-zone: "cloudflare-dns.com" static
                          

                          . . . and adding the following IP lists to the firewall as blocked aliases. . .

                          https://public-dns.info/nameservers.txt
                          https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4

                          . . . completely hamstrings Firefox and Chrome's attempts to use DoH. I'm sure they will find new ways to screw with network admins, but for the time being, this appears to be highly effective, while keeping things pretty neat and tidy. This is what I am deploying on my production network.

                          NOTE: Anyone reading this, don't just throw this into your config and forget. You MUST also have the DNS redirects to your local resolver/forwarder in place first.

                          Just as an addition to the above, I've spent the last 24 hours playing around with DNSBL and I realised that with the BETA of 'Enable TLD' you can in fact just add those domains in a custom blacklist and every subdomain will be blocked there too. Probably neater for some setups.

                          https://www.youtube.com/watch?v=Fc87pw1aYPg

                          1 Reply Last reply Reply Quote 1
                          • D
                            dma_pf
                            last edited by dma_pf

                            @lanna

                            NOTE: Anyone reading this, don't just throw this into your config and forget. You MUST also have the DNS redirects to your local resolver/forwarder in place first.

                            I'm curious about how you have your NAT redirects set up. Are you port forwarding the packets destined to IP's (in the IP lists above) on port 443 back to pfSense's resolver?

                            Currently I have NAT port forwards to redirect all DNS requests to non-internal networks on ports 53 and 853 back to pfSense's resolver. I'm wondering if the ideas is to do the same with the DOH requests, or are you just blocking those request outright?

                            LannaL 1 Reply Last reply Reply Quote 0
                            • LannaL
                              Lanna @dma_pf
                              last edited by Lanna

                              @dma_pf I'm just redirecting ports like for like. DoH is just blackholed or rejected completely. If anyone tries to set their browser to use DoH only, they will get an ssl config error when trying to visit a website.

                              https://www.youtube.com/watch?v=Fc87pw1aYPg

                              bingo600B 1 Reply Last reply Reply Quote 0
                              • bingo600B
                                bingo600 @Lanna
                                last edited by bingo600

                                Just wanted to add this great resource (see the doc subdir)
                                https://github.com/jpgpi250/piholemanual

                                I snipped the url from here
                                https://forum.netgate.com/post/953474

                                He has made a neat PDF pfSense guide on how2 block DoH
                                https://github.com/jpgpi250/piholemanual/blob/master/doc/Block%20DOH%20with%20pfsense.pdf

                                Best is that he states in th pfSense PDF , that he is collecting/consolidating his list from the below "other" lists , and his lists are getting updated frequently.

                                I’ve searched and found several lists, containing references to DoH servers:
                                -
                                https: //raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt-
                                https: //raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
                                https: //raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
                                https: //raw.githubusercontent.com/vysecurity/DoH-Servers/master/README.md
                                https: //raw.githubusercontent.com/tjay/DoH-List/master/hosts
                                https: //raw.githubusercontent.com/flo-wer/doh-list/master/domains.txt
                                https: //raw.githubusercontent.com/wiki/curl/curl/DNS-over-HTTPS.md
                                https: //download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json
                                https: / /dtm.uk/dns-over-https-doh-servers
                                https: //raw.githubusercontent.com/Jigsaw-Code/Intra/master/Android/app/src/main/res/values/servers.xml
                                https: //raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt
                                https: //raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt
                                https: //raw.githubusercontent.com/crypt0rr/public-doh-servers/main/dns.list
                                

                                He's doing a super job , and has some god PDF guides.

                                Edit:
                                Glad i used "floating rules" , as they use "openDNS w DoH" on my "work (from home) pc" šŸ‘Ž
                                And guess what is in the list ....
                                I chose to remove DoH from my Guest/Inet-Only VLAN , where it's connected.

                                /Bingo

                                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                pfSense+ 23.05.1 (ZFS)

                                QOTOM-Q355G4 Quad Lan.
                                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                1 Reply Last reply Reply Quote 5
                                • jpgpi250J jpgpi250 referenced this topic on
                                • A
                                  Antibiotic @johnpoz
                                  last edited by

                                  @johnpoz This is old topic, but when try to put this in custom options. Received error:
                                  The following input errors were detected:

                                  The generated config file cannot be parsed by unbound. Please correct the following errors:
                                  /var/unbound/test/unbound.conf:110: error: syntax error
                                  read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

                                  pfSense plus 24.11 on Topton mini PC
                                  CPU: Intel N100
                                  NIC: Intel i-226v 4 pcs
                                  RAM : 16 GB DDR5
                                  Disk: 128 GB NVMe
                                  Brgds, Archi

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    Antibiotic @johnpoz
                                    last edited by

                                    @johnpoz said in Blocking DNS over HTTPS. Seems the only way is to fire a shotgun at it:

                                    local-zone: "use-application-dns.net" always_nxdomain
                                    local-zone: "local." always_nxdomain
                                    local-data: "dns.adguard.com. 120 IN A 172.19.19.19"
                                    local-data: "dns-family.adguard.com. 120 IN A 172.19.19.19"
                                    local-data: "dns.google. 120 IN A 172.19.19.19"
                                    local-data: "cloudflare-dns.com. 120 IN A 172.19.19.19"
                                    local-data: "dns.quad9.net. 120 IN A 172.19.19.19"
                                    local-data: "dns9.quad9.net. 120 IN A 172.19.19.19"
                                    local-data: "dns10.quad9.net. 120 IN A 172.19.19.19"

                                    Oh, now clear me forget to set option "server:"

                                    pfSense plus 24.11 on Topton mini PC
                                    CPU: Intel N100
                                    NIC: Intel i-226v 4 pcs
                                    RAM : 16 GB DDR5
                                    Disk: 128 GB NVMe
                                    Brgds, Archi

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.