This is NOT a pro / con DoH topic, everybody should choose whatever upstream resolver(s) he / she prefers.
Personally, I still using the unbound solution, because nobody will be able to see the full picture of what it is you’re doing.
There are a number (see below) sources available, listing some DoH servers. Unfortunately, most of them are incomplete or not maintained. To overcome this, I have consolidated all the lists I could find, and processed these list into IPv4 and IPv6 lists. The lists are updated daily.
These lists cannot be used with pihole, I intentionally did NOT add the consolidated hosts list to the repository, to avoid users adding this as a block list. The goal is to protect your network from devices, trying to use DoH, thus bypassing pihole, using your firewall.
The method I’m currently using, are firewall rules, using the IP lists, blocking only port 443 (https). The list contains the addresses of several popular resolvers, such as
opendns, … You should NOT use the lists to block all ports, as it may possibly cause problems for pihole.
This method will NOT be possible on all firewalls, consult your firewall documentation to verify if this can be used.
You need to create an URL table alias (pfsense terminology) and firewall rules, using the aliases, to block port 443. Again, don’t block all ports… I’m sure this method will be available on other firewall brands.
Users, NOT using DoH, shouldn’t worry about the IP’s for
opendns, … that are also in the lists, remember we only block port 443, regular DNS requests use port 53, there is no impact.
Users, using the cloudflared solution will need to process the list(s) locally, e.g. download the list (on their pi), using wget or curl, and remove (sed) the cloudflare entries they need for the cloudflared solution to work.
The lists I’ve been using to generate the IP list(s), if you know of another source, please report this as an issue on the github repository:
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt https://raw.githubusercontent.com/vysecurity/DoH-Servers/master/README.md https://raw.githubusercontent.com/tjay/DoH-List/master/hosts https://raw.githubusercontent.com/flo-wer/doh-list/master/domains.txt https://raw.githubusercontent.com/wiki/curl/curl/DNS-over-HTTPS.md https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json (proto DoH only) https://dtm.uk/dns-over-https-doh-servers https://heuristicsecurity.com/dohservers.txt
Tools used to compile the lists
- ipcalc (verify if result is valid IPv4 address)
- ipv6calc (verify if result is valid IPv6 address)
- jq (extract JSON data)
- xidel (extract HTML data)
This solution has been active in my environment for a few weeks now, without causing any problems.