Doh server IPs *WIP*

Update 1. Reddit contains additional information link below
Update 2. I now have confirmation that the two cloudflare ips I dug up are indeed the ticket to blocking CF DoH.

104.16.249.249
104.16.248.249

Update 3.

https://www.reddit.com/r/pihole/comments/djacup/im_starting_a_list_of_hardcoded_dns_abusers_reply/

So what do you guys/gals think about putting together a list of iot doh server ip's? We could use them to block with iptables and it might force the use of port 53 instead?

See post 8 for ip's ↓

Leaving aside I don't think PiHole blocks by IP (unless you were proposing blocking via iptables) a rather more elegant solution would be to find out if they're using a "canary" url in the same way Firefox does and block that( which then leaves you free to use DOH to your upstream provider should you choose too)

Interesting. Not in the US so no doh on Firefox for me uet

You do realize that they are using the domains to serve ads ads=money. They are not going to give us this luxury. We are not talking about blocking on a browser level here.

neither am I .

The way Firefox is implementing DOH is that if it gets an NXDOMAIN result it falls back to standard DNS.

This is to allow ISPs (or other network admins) to stop it interfering with their own content management

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

You're missing the point. IoT devices like roku chromecast etc.... will be using DoH to serve us ads that make them money. firefox does this for "privacy" NOT to make money. I just don't think they are going to give us a way out. That is not how businesses run.

I'm still looking around thought I saw a starter list somewhere on the information super highway.

WIP

here is a start.

not sure if blocking the anycast server addresses will work but i will document those also .

Google

8.8.8.8
4.4.4.4
#ipv6
2001:4860:4860::8888
2001:4860:4860::8844

**
Cloudflare

1.1.1.1
1.0.0.1
104.16.249.249
104.16.248.249
#ipv6
2606:4700:4700::1111
2606:4700:4700::1001

**

Quad9

9.9.9.9
9.9.9.10
9.9.9.11
149.112.112.112
149.112.112.9
149.112.112.10
149.112.112.11
#ipv6
2620:fe::fe
2620:fe::fe:9
2620:fe::9
2620:fe::10
2620:fe::fe:10
2620:fe::11
2620:fe::fe:11

Here's a list of doh servers:

Yeah I've seen that. No ip's.

In a thread about DNS over HTTPS, I'll leave the translation of domain names to ip addresses as an exercise to the reader.

I am only going to list the major providers. I highly doubt IoT devices will use any different.

If anyone wiresharks and finds alternate ip's we can list those also.

Obviously anycast or dynamic ip's could hinder my efforts if in use.

Perhaps a range ban with iptables would help with the above problem.

I have added the cloudflare ip's to my iptables. Surprisingly the internet did not implode.

so if you're current upstream provider switched to implementing DOH on the same IP who would you move too?

My current provider already does DOT on the same address. I choose Dot for my delivery method. This thread is more to focus on devices with hardcoded dns.

I bet I'm one of 10 or less people in this community using my provider. It's semi-private. Well in the sense that you can't find any info other than the website for it. Well maybe you can but I don't speak German.

Before anyone asks why I would want to deal with a response time above 100ms (I'm in the US)..
Germany has some of the best privacy laws in the world.

a slightly less sledgehammer approach, which admittedly requires more user input, would be to block outbound requests to specific IPs from specified devices only.

Many people use the more generic DNS Ips from people like CLoudflare or Google or Level3

This is true there is usually not a clear-cut answer when we as users have specific use cases..

Update
I have added some iptables to redirect all traffic on port 853 to an address of my choosing.
If anyone is interested I have a decent collection of iptables for dd-wrt. Just let me know what you are trying to accomplish.

BUMP
Op contains new information