Redirect Hardcoded DNS devices

johnpoz · Aug 2, 2022, 5:24 PM

@the-other yeah block rule for 853 would stop dot, but most devices don't use dot they use doh. Doh hides itself in normal looking 443 (https) traffic. So you need a list of known doh servers be it fqdn or IP or both.. I block both.. and log what IPs try to hit the rules..

I believe pfblocker has a built in list that has well known doh servers.

the other · Aug 2, 2022, 6:09 PM

@johnpoz thanx for clarifying! I knew that DoH is a b... to go around, yeah there is a blocklist for pfblocker, but it is another race one must enter.
I was just confused, cause it was mentioned above, that mitm was need for DoT as well...
:)

johnpoz · Aug 2, 2022, 6:13 PM

@the-other yeah its going to be a never ending game of wack-a-mole for sure..

Keep in mind I have heard of doh using other ports as well 5053, 453 as examples.

the other · Aug 2, 2022, 6:27 PM

@johnpoz haven't heard of that...thanks again! Another race to enter...*sigh

bingo600 · Aug 2, 2022, 6:31 PM

@johnpoz said in Redirect Hardcoded DNS devices:

Keep in mind I have heard of doh using other ports as well 5053, 453 as examples.

Wuuutttt

johnpoz · Aug 2, 2022, 6:44 PM

@the-other

https://github.com/oneoffdallas/dohservers/blob/master/iplist.txt

dnscrypt.ca is using Port 453 for DoH (instead of 443)

https://www.speedguide.net/port.php?port=5053
5053 tcp rlm DNS over HTTPS (used by Cloudflared)

I think this is some proxy/relay sort of thing running on pi-hole.. But that they are using other ports other than 443 just points other ways to circumvent blocking it, etc..

its a never ending game of wack-a-mole..

bingo600 · Aug 2, 2022, 6:41 PM

@johnpoz
Sigh ....

Now my floating(s) use a Port Alias , and not just 443 ... Sigh

Thnx

SteveITS · Aug 2, 2022, 8:59 PM

@bohaman re: pfBlockerNG-devel, I usually use Alias Native and create my own aliases, so I use the DOH/Great Wall feed and have rules like this that block any port, to listed IPs:
login-to-view

johnpoz · Aug 2, 2022, 9:39 PM

@steveits you actually allow doh? Really? I would never in a million years allow that on purpose.. I don't care the device, if some device required doh - I wouldn't be using that device.

My take on doh is its yet another loss of control that the big players are tricking the end users into thinking they have their best interests -- which is utter and complete BS!!

SteveITS · Aug 2, 2022, 9:42 PM

@johnpoz said in Redirect Hardcoded DNS devices:

if some device required doh - I wouldn't be using that device.

It is my Dish (satellite) DVR. :) Not the part that downloads guide and software updates, but the "on demand" movie channels (which is basically an app) use only DoH not DNS. If it's blocked, no movies. ¯\(ツ)/¯

Edit: the ICMP is so I don't think my Internet is down if I ping 8.8.4.4. ‍

johnpoz · Aug 2, 2022, 10:01 PM

@steveits really? That blows.. Have you thought of cutting the sat connection? I have been directv for years and years and years. And i am so ready to get rid of it - but wife is hard to convince - she knows how to use it, and she loves being able to record 8 different things at the same time..

And this is the last year for sunday ticket on directv, so next year -- I might be able to just get rid of it? Fingers crossed..