Hello everyone!
I am planning to use Pi Hole, but I have a doubt if it is possible that some devices can bypass pi hole by DNS over HTTPS/TLS. And what are the solutions that can solve this issue?
Hello everyone!
I am planning to use Pi Hole, but I have a doubt if it is possible that some devices can bypass pi hole by DNS over HTTPS/TLS. And what are the solutions that can solve this issue?
There are a few ways to bypass pi-hole. Refer to this post to block the majority of them: Do individual devices require configuration with Pihole+Unbound?
There has also been a new pi-hole setting: dns.specialDomains.designatedResolver
to prevent clients from upgrading to DoH via the upstream provider. Make sure this is set to true.
Edit: I just want to make clear that these bypasses are not a fault of pi-hole
On your pihole:
Blocking list to prevent domains of known DoH/DoT providers (eg GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!). But this won't stop everything. Anything using hardcoded IPs will go straight past this step.
Blocking rules on your firewall / modem /router / gateway / whatever to:
Prevent access to ports 53 and 853 except from your Pi-hole.
Block DoH/DoT hosts by ip address (blocklist such as GitHub - dibdot/DoH-IP-blocklists: This repo contains the domain names and the resolved IPv4/IPv6 addresses of public DoH server)
For that you'd need to consult the directions for your device.