Blocking DNS over HTTPS with Pi Hole

I put this in Off Topic as it's more of just a question. Given that DoH will query a server for DNS details via HTTPS does that mean the original DNS request for that server would go via the usual DNS route?

So if I am using dns.google.com/experimental as my DoH server I would see only DNS requests for dns.google.com any longer in Pi Hole. If so would blocking dns.google.com at the Pi Hole level block access to this DoH server?

I am wondering how to get around this DoH issue whereby applications or devices will be free to query their own DNS server of choise and not that of the OS or network. My options are either to block those servers on Pi Hole or to drop packets destined for the ip addresses at the router. Either way I do not want to go back to a time where I have minimal control over the data leaving my network.

I share your reservations with regard to DoH (and strongly so), while at the same time I understand the motivations for better privacy of DNS requests. However, I've got the feeling that moving DNS lookups from the network towards client application control by default is hurting security more than it benefits privacy.

Your are probably aware that blocking of regular DNS-lookps to known DoH servers is already discussed as a feature request Blocking DNS-over-HTTPS (DoH) - #13 by Bucking_Horn, but currently assessed as out of scope.
Take a look, some of the posts there might already contain some of the answers you seek :wink:

1 Like

I ended up creating a blocklist myself from the fairly decent list of DoH servers referenced on the curl github page.

I did it as a one off for now but will write a script that will just curl the page and pull out the servers periodically in case of changes. I have this hosted on a server of my own and added to my blocklists. for now this will do and I will just hope that any nefarious DoH resolvers will show up on one of the malicious domain blocklists as they are found.