Options for Blocking DNS over HTTPS
-
Hi all,
I wanted to reach out to the community to see what everyone is currently doing to try to block DoH (DNS over HTTPS) requests from devices. What would be most effective?
- Using a DoH IP blocklist (e.g. using pfBlockerNG)
- Using a DoH DNS blocklist (e.g. using pfBlockerNG DNSBL or Pi-hole)
- Using custom settings in Unbound's advanced options
- Other?
Thanks in advance for your help and insight, I really appreciate it.
-
@tman222 said in Options for Blocking DNS over HTTPS:
I do 1 and 2
Using custom settings in Unbound's advanced options
Not sure I understand anything you could do to unbound to block DoH. If some client is going around it to use a DoH server there is nothing to do to unbound other than sinkholing known DoH hosts. Same as #2.
It's port 443 traffic. That's either the beauty or the misery of DoH, depends on your perspective. Me, I dislike it strongly.
-
The only other way around it would be a transparent HTTPS MITM proxy, so you can see inside that HTTPS traffic. If you could filter on the JSON data format returned by most DoH servers, or even filter on the URL (since most have the same format), that would probably catch most requests.
-
@virgiliomi
Self inflicted MiM... You can do that for sure.
BTW: I do like your sig ;)
-
Thanks guys, I appreciate your help. I think I will try 1 and 2 as well - if anything to see if there are any devices actually trying to use DoH.
@jwj - what source(s) do you use for your DoH blocklist(s)? This one is listed in the pfBlockerNG feeds and it looks pretty good (but hasn't been updated in a while):
https://github.com/Sekhan/TheGreatWall
Are there others I should consider as well? Thanks again.
-
@tman222 said in Options for Blocking DNS over HTTPS:
Are there others I should consider as well?
Not that I know of offhand. It's playing wack-a-mole trying to keep a list current anyhow.
In the home environment it's all about not allowing sketchy devices on the network at all and isolating those (IoT) that have bigger attack surfaces.
In a business environment with BYOD or guests you isolate and use some on-boarding system to keep on top of who is who.
Don't let the 13 year kid from down the street use your WiFi and keep that creepy uncle who likes the girly sites off your network.
-
@jwj said in Options for Blocking DNS over HTTPS:
@tman222 said in Options for Blocking DNS over HTTPS:
Are there others I should consider as well?
Not that I know of offhand. It's playing wack-a-mole trying to keep a list current anyhow.
In the home environment it's all about not allowing sketchy devices on the network at all and isolating those (IoT) that have bigger attack surfaces.
In a business environment with BYOD or guests you isolate and use some on-boarding system to keep on top of who is who.
Thanks @jwj, that makes sense. This may be another list worth trying (looks like it's curated from several different sources):
https://discourse.pi-hole.net/t/doh-dns-over-https-ip-block-list-s/30393
https://github.com/jpgpi250/piholemanual -
@tman222 Good stuff. Thanks!
-
@tman222 said in Options for Blocking DNS over HTTPS:
https://github.com/jpgpi250/piholemanual
Thank you, the lists by this guy seem to be well-maintained, and he's even written a detailed PDF tutorial to block access to DoH servers with floating rules for pfSense.