DoH/DoT bypass Pi-hole

Hello everyone!

I am planning to use Pi Hole, but I have a doubt if it is possible that some devices can bypass pi hole by DNS over HTTPS/TLS. And what are the solutions that can solve this issue?

There are a few ways to bypass pi-hole. Refer to this post to block the majority of them: Do individual devices require configuration with Pihole+Unbound?

There has also been a new pi-hole setting: dns.specialDomains.designatedResolver to prevent clients from upgrading to DoH via the upstream provider. Make sure this is set to true.

Edit: I just want to make clear that these bypasses are not a fault of pi-hole

On your pihole:

Blocking list to prevent domains of known DoH/DoT providers (eg GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!). But this won't stop everything. Anything using hardcoded IPs will go straight past this step.

Blocking rules on your firewall / modem /router / gateway / whatever to:

Prevent access to ports 53 and 853 except from your Pi-hole.
Block DoH/DoT hosts by ip address (blocklist such as GitHub - dibdot/DoH-IP-blocklists: This repo contains the domain names and the resolved IPv4/IPv6 addresses of public DoH server)

For that you'd need to consult the directions for your device.