DoH/DoT bypass Pi-hole

Hello everyone!

I am planning to use Pi Hole, but I have a doubt if it is possible that some devices can bypass pi hole by DNS over HTTPS/TLS. And what are the solutions that can solve this issue?

There are a few ways to bypass pi-hole. Refer to this post to block the majority of them: Do individual devices require configuration with Pihole+Unbound?

There has also been a new pi-hole setting: dns.specialDomains.designatedResolver to prevent clients from upgrading to DoH via the upstream provider. Make sure this is set to true.

Edit: I just want to make clear that these bypasses are not a fault of pi-hole

1 Like

On your pihole:

Blocking list to prevent domains of known DoH/DoT providers (eg GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!). But this won't stop everything. Anything using hardcoded IPs will go straight past this step.

Blocking rules on your firewall / modem /router / gateway / whatever to:

Prevent access to ports 53 and 853 except from your Pi-hole.
Block DoH/DoT hosts by ip address (blocklist such as GitHub - dibdot/DoH-IP-blocklists: This repo contains the domain names and the resolved IPv4/IPv6 addresses of public DoH server)

For that you'd need to consult the directions for your device.

1 Like

Thanks for the reply!

In case some users want to use DoH, are there solutions / software that can be combined with Pi-hole to achieve this? While maintaining its functionality.

Thanks for the reply!

Just want to make sure if there are Hardcoded IP Addresses, I have to block them using firewall?

You could set up a DoH proxy pointing to your Pi-hole, such as https://github.com/DNSCrypt/doh-server.

There is no particular benefit to operating a DoH server on your own network. Also, most devices won't accept self-signed certificates for their DoH, so you'll also need certificates for it (eg from letsencrypt). You then need to announce it to network clients, and there are varying ways to do this which many devices don't respect and will still be looking for the server that they want anyway.

It's a fair bit of effort for no real benefit.

Unfortunately so.

2 Likes

Which firewall is recommended to block the hardcoded IPs?
And where should I implement it? With the device that includes the Pi-hole? Or at the router level?

The one that you already have, most likely the firewall on your router.

Note that when robgill suggested "blocking rules on your firewall / modem /router / gateway / whatever", he was referring to devices. 'Firewall' in that context would mean a dedicated firewall device that acts as a gateway for all your network's traffic.

No, as your Pi-hole device's firewall software would only affect traffic originating from or destined to that very device.

You need to block IPs at the router / gateway level.

2 Likes