Blocking DNS-over-HTTPS (DoH)

I know there have been some post about this topic, but I'd like to understand this whole thing a bit better.

So, as far as I understand, Pi-hole has implemented use-application-dns.net. to signal to, at least Firefox, that DoH is not supported on the network.

But I wonder how, in general, DoH works. All write-ups I read so far that explain how DoH works, start at the DNS request level to a DoH server. From what I understand, and correct me if I'm wrong here, at lest one unencrypted DNS request to a regular DNS server has to be made, to actually resolve the IP address of the DoH server. Is that correct?

So, by blocking the DNS of an DoH server, e.g., mozilla.cloudflare-dns.com, one could block DoH. I know there are blocklists out there that block some of them, e.g, this one, but not all, and there might be some DoH servers that are not listed because they are private/not publicly known.

But that leaves the question, can it be that easy to block DoH? Just by blocking the DNS address? That would be too simple, wouldn't it. Do DoH clients come with IP lists of DoH servers to make sure that they can at least connect to them if DNS is blocked? Would this mean to effectively block DoH, one also hast to block access to these IP addresses?

I know that it is impossible, to know all DoH servers, but would this be the way to go, to filter out at least some of them. Meaning, blocking the DoH server's DNS address and IP address.

Best

Toni

I've been consolidating DoH lists for several years now, the list you are referring, only extract some domains from this list (indicated in the README.md of the author). There are many more valuable sources, the ones I use are mentioned in my manual (Block DNS over HTTPS (DoH), using pfsense).

The list you are referring says, quote, These DoT resolvers are at a base url, so blocking these providers may block regular web access to these services, unquote, which is wrong, DoT works on port 853, the best way to block Dot is simply blocking that port.

DoH (and oDoH - stands for oblivious DNS over HTTPS) works over port 443. Blocking this port will simply block acces to the internet.

In order to block DoH, a list of IP addresses where the DoH servers are hosted is required. Add a firewall rule that blocks port 443 for these addresses. You need to block the IP addresses, since there are devices that have hardcoded DoH clients (my nvidia shield pro tries to bypass regular DNS by using hardcoded (8.8.8.8 and 8.8.4.4) DoH.

When using the IP lists (see manual) some websites don't work anymore, so you need to make an exception for the IP addresses associated with that website.

Example: this website (discourse.pi-hole.net), is hosted on the same address as some DoH servers. When opening discourse.pi-hole.net, dns request for b2discourse.pi-hole.net and discourse-cdn.pi-hole.net are submitted, reply is 84.17.46.53. Unfortunately, this is also the address for doh1.b-cdn.net, doh1.blahdns.com, doh2.b-cdn.net and doh2.blahdns.com. In order for the website (discourse.pi-hole.net) to work, you can't block the above IP, an exception is required.

When defining an exception, the DoH servers on that IP address will also work, the only way to ensure (try, success not guaranteed if the IP is hardcoded) is by using a DNS blocklist, the Adblock Plus style list, supported by pi-hole can be found here. As an alternative, you can use the RPZ file, used with unbound (unbound RPZ manual here)

Warning: the IP lists, provided in the repository are regional, there are DoH services that have a different IP address in a different region (see issue). You can build your own lists, using the sqlite3 database (also available in the repository).

Thank @jpgpi250 for your detailed explanation.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.