Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block DNS over HTTPS from clients on LAN

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 4 Posters 2.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marian78
      last edited by marian78

      Hi, i want ask how to block DNS over HTTPS from clients on LAN (i dont want use proxy).

      I use family filtering (DNS provider). Set DNS, DHCP and some firewall rules, so that LAN clients can only use family filtering DNS.
      But, if clients will use browser with DNS over HTTPS, can i filter adult content?

      pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

      1 Reply Last reply Reply Quote 0
      • GrimsonG Offline
        Grimson Banned
        last edited by

        https://forum.netgate.com/topic/133679/heads-up-be-aware-of-trusted-recursive-resolver-trr-in-firefox

        1 Reply Last reply Reply Quote 0
        • M Offline
          marian78
          last edited by

          thx for quick reply.

          So, for now we dont have any solution to solve this on pfsense box?

          pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

          1 Reply Last reply Reply Quote 0
          • T Offline
            tinetserv
            last edited by tinetserv

            in CHROME 78 DoH is enabled by default. no means to disable it. flag chrome://flags/#dns-over-https is not even listed as option. .admx policies are outdated, regkeys HKLM\SOFTWARE\Policies\Google are undocumented for this option.

            1 Reply Last reply Reply Quote 0
            • JeGrJ Offline
              JeGr LAYER 8 Moderator
              last edited by

              How about checking if you are really using DoH first:

              https://1.1.1.1/help

              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • T Offline
                tinetserv
                last edited by

                https://1.1.1.1/help is helpful. i´ve set server:local-zone: "use-application-dns.net" static in resolver also "DNSOverHTTPS": {"Enabled": false} in distribution/policies.json - just saying chrome needs trr parameter documented just like firefox did. do you think DoH should be the future standard ? what is the purpose of dnscrypt-proxy ?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.