• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Options for Blocking DNS over HTTPS

Scheduled Pinned Locked Moved DHCP and DNS
9 Posts 4 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tman222
    last edited by Dec 26, 2020, 9:18 PM

    Hi all,

    I wanted to reach out to the community to see what everyone is currently doing to try to block DoH (DNS over HTTPS) requests from devices. What would be most effective?

    1. Using a DoH IP blocklist (e.g. using pfBlockerNG)
    2. Using a DoH DNS blocklist (e.g. using pfBlockerNG DNSBL or Pi-hole)
    3. Using custom settings in Unbound's advanced options
    4. Other?

    Thanks in advance for your help and insight, I really appreciate it.

    ? 1 Reply Last reply Dec 26, 2020, 9:38 PM Reply Quote 0
    • ?
      A Former User @tman222
      last edited by A Former User Dec 26, 2020, 9:41 PM Dec 26, 2020, 9:38 PM

      @tman222 said in Options for Blocking DNS over HTTPS:

      I do 1 and 2

      Using custom settings in Unbound's advanced options

      Not sure I understand anything you could do to unbound to block DoH. If some client is going around it to use a DoH server there is nothing to do to unbound other than sinkholing known DoH hosts. Same as #2.

      It's port 443 traffic. That's either the beauty or the misery of DoH, depends on your perspective. Me, I dislike it strongly.

      1 Reply Last reply Reply Quote 0
      • M
        MikeV7896
        last edited by Dec 26, 2020, 9:46 PM

        The only other way around it would be a transparent HTTPS MITM proxy, so you can see inside that HTTPS traffic. If you could filter on the JSON data format returned by most DoH servers, or even filter on the URL (since most have the same format), that would probably catch most requests.

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by A Former User Dec 26, 2020, 9:49 PM Dec 26, 2020, 9:48 PM

          @virgiliomi

          Self inflicted MiM... You can do that for sure.

          BTW: I do like your sig ;)

          1 Reply Last reply Reply Quote 0
          • T
            tman222
            last edited by Dec 26, 2020, 9:57 PM

            Thanks guys, I appreciate your help. I think I will try 1 and 2 as well - if anything to see if there are any devices actually trying to use DoH.

            @jwj - what source(s) do you use for your DoH blocklist(s)? This one is listed in the pfBlockerNG feeds and it looks pretty good (but hasn't been updated in a while):

            https://github.com/Sekhan/TheGreatWall

            Are there others I should consider as well? Thanks again.

            ? 1 Reply Last reply Dec 26, 2020, 10:00 PM Reply Quote 0
            • ?
              A Former User @tman222
              last edited by A Former User Dec 26, 2020, 10:07 PM Dec 26, 2020, 10:00 PM

              @tman222 said in Options for Blocking DNS over HTTPS:

              Are there others I should consider as well?

              Not that I know of offhand. It's playing wack-a-mole trying to keep a list current anyhow.

              In the home environment it's all about not allowing sketchy devices on the network at all and isolating those (IoT) that have bigger attack surfaces.

              In a business environment with BYOD or guests you isolate and use some on-boarding system to keep on top of who is who.

              Don't let the 13 year kid from down the street use your WiFi and keep that creepy uncle who likes the girly sites off your network.

              T 1 Reply Last reply Dec 26, 2020, 10:09 PM Reply Quote 1
              • T
                tman222 @A Former User
                last edited by Dec 26, 2020, 10:09 PM

                @jwj said in Options for Blocking DNS over HTTPS:

                @tman222 said in Options for Blocking DNS over HTTPS:

                Are there others I should consider as well?

                Not that I know of offhand. It's playing wack-a-mole trying to keep a list current anyhow.

                In the home environment it's all about not allowing sketchy devices on the network at all and isolating those (IoT) that have bigger attack surfaces.

                In a business environment with BYOD or guests you isolate and use some on-boarding system to keep on top of who is who.

                Thanks @jwj, that makes sense. This may be another list worth trying (looks like it's curated from several different sources):

                https://discourse.pi-hole.net/t/doh-dns-over-https-ip-block-list-s/30393
                https://github.com/jpgpi250/piholemanual

                ? M 2 Replies Last reply Dec 26, 2020, 10:09 PM Reply Quote 0
                • ?
                  A Former User @tman222
                  last edited by Dec 26, 2020, 10:09 PM

                  @tman222 Good stuff. Thanks!

                  1 Reply Last reply Reply Quote 0
                  • M
                    Making_sense_of_pfSense @tman222
                    last edited by May 16, 2021, 6:57 PM

                    @tman222 said in Options for Blocking DNS over HTTPS:

                    https://github.com/jpgpi250/piholemanual

                    Thank you, the lists by this guy seem to be well-maintained, and he's even written a detailed PDF tutorial to block access to DoH servers with floating rules for pfSense.

                    Running pfSense Community Edition 2.7.2 on a Qotom Mini PC.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received