DoH (DNS over HTTPS) IP block list(s)

This is NOT a pro / con DoH topic, everybody should choose whatever upstream resolver(s) he / she prefers.

Personally, I still using the unbound solution, because nobody will be able to see the full picture of what it is you’re doing.

There are a number (see below) sources available, listing some DoH servers. Unfortunately, most of them are incomplete or not maintained. To overcome this, I have consolidated all the lists I could find, and processed these list into IPv4 and IPv6 lists. The lists are updated daily.

These lists cannot be used with pihole, I intentionally did NOT add the consolidated hosts list to the repository, to avoid users adding this as a block list. The goal is to protect your network from devices, trying to use DoH, thus bypassing pihole, using your firewall.

The method I’m currently using, are firewall rules, using the IP lists, blocking only port 443 (https). The list contains the addresses of several popular resolvers, such as google, opendns, … You should NOT use the lists to block all ports, as it may possibly cause problems for pihole.

This method will NOT be possible on all firewalls, consult your firewall documentation to verify if this can be used.

You need to create an URL table alias (pfsense terminology) and firewall rules, using the aliases, to block port 443. Again, don’t block all ports… I’m sure this method will be available on other firewall brands.

Users, NOT using DoH, shouldn’t worry about the IP’s for google, opendns, … that are also in the lists, remember we only block port 443, regular DNS requests use port 53, there is no impact.

Users, using the cloudflared solution will need to process the list(s) locally, e.g. download the list (on their pi), using wget or curl, and remove (sed) the cloudflare entries they need for the cloudflared solution to work.

The lists I’ve been using to generate the IP list(s), if you know of another source, please report this as an issue on the github repository:

https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
https://raw.githubusercontent.com/vysecurity/DoH-Servers/master/README.md
https://raw.githubusercontent.com/tjay/DoH-List/master/hosts
https://raw.githubusercontent.com/flo-wer/doh-list/master/domains.txt
https://raw.githubusercontent.com/wiki/curl/curl/DNS-over-HTTPS.md
https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json (proto DoH only)
https://dtm.uk/dns-over-https-doh-servers
https://heuristicsecurity.com/dohservers.txt

Tools used to compile the lists

  • ipcalc (verify if result is valid IPv4 address)
  • ipv6calc (verify if result is valid IPv6 address)
  • jq (extract JSON data)
  • xidel (extract HTML data)

This solution has been active in my environment for a few weeks now, without causing any problems.

2 Likes

Thanks for this, was easy to set up on my OPNsense firewall being a fork of pfSense in case anyone was wondering.

Two additional files have been made available in the repository, DOHexceptionsIPv4.txt and DOHexceptionsIPv6.txt.
Apparently some DoH providers also serve content on the same IP, making it impossible for you to access certain pages, read here.

The idea here is to create exception (allow) rules for specific devices, e.g. the devices you use for browsing, all other devices will still be blocked.

I've tried to summarize the setup (for pfsense) in a document, haven't received feedback yet (but it's working for me).