Blocking DNS-over-HTTPS (DoH)

To the extent feasible, I’d like to be able to use a Pi-hole to block DNS over HTTPS (DoH), using approaches similar to those outlined here:

Why are you submitting this a a feature request? The GitHub site appears to have the information you need to set this up locally on your network.

2 Likes

To elaborate, the feature request would be for anti-DoH to be a high-level, UI-driven option within the Pi-hole itself - an easy, one-click enabling (that would be fully integrated into the Pi-hole, persist across upgrades, etc.).

I predict that adware and malware are likely to start using DoH to evade DNS blacklisting. I see countermeasures for that as part of the Pi-hole’s core value proposition.

[Edit: an example of malware using DoH]

Please also note that I understand that some types of use of DoH would not be “intercept-able” by the Pi-hole itself (as you noted here). But for the types that the Pi-hole can see, I think it’s worthwhile to make it easy to do so.

This feature is out of scope for Pi-hole.

1 Like

I respect the decision. Could you elaborate a little bit about why, to better inform future feature requests?

Pi-hole is focused on being a DNS server which can block DNS queries based on predefined filters. It is not meant to be a security product, although it may be used to block malicious domains with certain blocklists.

Pi-hole is also a project run by volunteers, and we do not have the manpower to extend Pi-hole’s scope further than it is currently.

1 Like

Read my feature request here, my argument here (referring this feature request - fully supporting options to add security features), to reconsider the IP blocking feature, and vote for it, to increase chanches to get more options to protect your network.