DOH, DOT/DNS, umbrella, and opendns.com

Help
1

Question: Does all of this seem correct and reasonable?

Details: I use opendns (umbrella) as my external DNS. I see a large volume of requests from local devices for doh.umbrella.com, doh.opendns.com, dns.umbrella.com, and dns.opendns.com

I take it that these are attempts to bypass pihole through DOH or getting the external DNS for further DNS queries. Please correct me if I am wrong.

In an attempt to block that, I have blocked requests for all DOH subdomains. Everything in the house appears to continue working properly over the last few days. Practically all of the requests were from the numerous Apple devices in the house.

In an attempt to further lock down DNS bypassing, I have created two local DNS entries for DOT dns.umbrella.com and dns.opendns.com to point to my Pihole.

2

It's possible that they are attempting to bypass, but apple devices are not generally known to do a runaround of your dns settings (unless they have been specifically configured that way).

If apple's private relay service is enabled, that would explain the queries to cloudflare. Also, if these the Cisco Security Connector app installed, then it would explain these queries.

Blocking the doh domains will stop polite devices from bypassing your local dns. There are maintained lists of doh servers that you can use to help with this. (GitHub - dibdot/DoH-IP-blocklists: This repo contains the domain names and the resolved IPv4/IPv6 addresses of public DoH server)

But often a device that is really trying to go around your dns will have hardcoded ip (often google's 8.8.8.8, or cloudflare's 1.1.1.1) that it will use directly. The link above also has ips of these servers which you can't block with pi-hole, but you may be able to block them at the level of your router.

1 Like
3

I added the doh-domains_overall.txt list to pihole and saw an immediate and very noticeable decrease in initial lag when attempting to visit websites. Night and day! Don't know whether it broke an inadvertent loop in my network, but it suddenly made a positive difference. Will monitor device functionality to ensure there aren't any ill effects. Thank you!

As for blocking at the router level, I have a TP-Link ER605 and cannot find a convenient way to block all of the IPs in the IPv4 list from the above GitHub project. I can probably manually enter a dozen or so common DNS servers. After that, it will become tedious. Is there another device you might recommend that I can put in between the router and my LAN that could easily use the IPv4 list as a blocklist?

4

You could run a firewall with something like OPNsense of pfSense, but it is definitely overkill for what you want. You would need hardware essentially duplicating the capabilities of your router (and then some).

If you're limited to a handful of manual entries, blocking the main addresses of google, cloudflare and quad9 will cover the most common cases.

IPv4

1.1.1.1 # cloudflare
1.0.0.1 # cloudflare
8.8.8.8 # google
8.8.4.4 # google
9.9.9.9 # quad9
149.112.112.112 # quad9

IPv6

2606:4700:4700::1111 # cloudflare
2606:4700:4700::1001 # cloudflare
2001:4860:4860:0:0:0:0:8888 # google
2001:4860:4860:0:0:0:0:8844 # google
2620:fe::fe # quad9
2620:fe::9 # quad9

Just beware that some devices have their dns hardcoded with no adjustment possible and may not work correctly without this connectivity.

1 Like
5

Blocking those IPs altogether would also block regular DNS/Do53 traffic.
Thus, you should be aware that you cannot use those blocked IPs as Pi-hole's upstream DNS server.

2 Likes
6

Thank you for the reminder. I'm ok with that since my upstream DNS is opendns in pihole. I am also attempting to block port 53 from all lan devices except pihole IP. Hopefully, none of my devices have hard coded DNS. :crossed_fingers: If they start failing, I'll deal with them on a case by case basis. After DNS/53 blocking, the next project is to divide lan devices into VLANs and loosen restrictions on those "smart" devices and hard coded DNS devices.

7

I was considering pfSense for other reasons. The DNS IP blocking might be an additional excuse to get it done! :grinning_face:

1 Like
8

I'm going to put this here for future users looking to do the same.

Router
Each router has a different method to create firewall rules. On the TP-Link 605 Load Balancing Router use the following steps. Other routers are probably simpler. The basics to be adapted are here.

  1. Define IP addresses / ranges - Preferences -> IP Group -> IP Address (Tab), e.g. CloudFlare1, CloudFlare2, Google1, Google 2, etc. INCLUDING entries for the DNS servers that pihole uses. My list in the screenshots below include the DNS options in pihole and a few other "common" public DNS. Each entry is a "range" where the Starting and Ending IPs are the same, EXCEPT for Quad9_3 in the screen shot below. Also add an entry for the local IP address of your pihole machine

  2. Define a Group of DNS servers to BLOCK - Preferences -> IP Group and add the relevant external DNS server IPs from above to be blocked, INCLUDING the IPs of the DNS server that pihole uses

  3. Define a Group to ALLOW - Preferences -> IP Group and add the local IP Address of Pihole to be allowed

  4. Firewall Rule to Block - Firewall -> Access Control with the following:
    * Name: Give the policy a name (cannot be changed later)
    * Policy: Block
    * Service Type: All
    * IPv4
    * Direction: LAN -> WAN
    * Source: !Pihole (i.e. NOT the pihole group) this would be group name where the pihole IP is defined and then will show in the list with and without the "!" Choose the group WITH the "!"
    * Destination: Choose the group that contains ALL of the DNS servers
    * Effective time: Any
    * States: New, Established, Invalid, Related

  5. Firewall Rule to Block Port 53 to ALL external IPs, even those DNS servers not defined above. Same as above with the following differences:
    * Name: Give the policy a name (cannot be changed later)
    * Service Type: DNS
    * Destination: IPGROUP_WAN

Pihole

  1. Add the following blocklist to pihole. This list includes DoH, DoT/DNS, and other subdomains. https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-domains_overall.txt
  2. Update Gravity

Monitor the network for functionality as some devices may have hard coded DNS entries.

The following are POSSIBLE solutions to hard coded DNS entries. YMMV Not tested. I'm not the expert.

A solution MIGHT be to add DNS entries to Pihole to redirect those hard coded DNS servers to repoint to pihole. (My attempt at this broke stuff in the house. I think it created a loop or my firewall rules at the time were not 100%). This would probably only work if the DNS Server is NOT hard coded IP addresses. System -> Settings -> Local DNS Records

Other methods could include VLANs and/or a Pihole Group that would whitelist specific domains. The pihole group might not work if blocking has been done at the router's firewall.

Screenshot 2025-03-25 at 7.49.55 PM
Screenshot 2025-03-25 at 7.49.55 PM1990×1222 298 KB

Screenshot 2025-03-25 at 7.50.03 PM
Screenshot 2025-03-25 at 7.50.03 PM1908×538 72.8 KB

Thanks to @robgill and @Bucking_Horn

1 Like
9

I also have TP-Link ER605. My setup a bit diff. because I use recursive Unbound for upstream. I used a predefined group name i.e. (IPGROUP_ANY and IPGROUP_LAN) with only a new group I created for my Pi-hole and AGH called DNS_servers. My FW has 3 rules, including:

  1. allows DNS traffic from LAN to DNS_servers group
  2. allows DNS outbound traffic only for DNS_servers group
  3. block DNS outbound traffic for all LAN devices

Testing

nslookup example.com resolve via pi-hole
nslookup example.com 1.1.1.1 - timed out

2 Likes
10

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.