Interesting. Not in the US so no doh on Firefox for me uet
You do realize that they are using the domains to serve ads ads=money. They are not going to give us this luxury. We are not talking about blocking on a browser level here.
neither am I .
The way Firefox is implementing DOH is that if it gets an NXDOMAIN result it falls back to standard DNS.
This is to allow ISPs (or other network admins) to stop it interfering with their own content management
You’re missing the point. IoT devices like roku chromecast etc… will be using DoH to serve us ads that make them money. firefox does this for “privacy” NOT to make money. I just don’t think they are going to give us a way out. That is not how businesses run.
I’m still looking around thought I saw a starter list somewhere on the information super highway.
here is a start.
not sure if blocking the anycast server addresses will work but i will document those also .
220.127.116.11 18.104.22.168 #ipv6 2001:4860:4860::8888 2001:4860:4860::8844
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 #ipv6 2606:4700:4700::1111 2606:4700:4700::1001
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 #ipv6 2620:fe::fe 2620:fe::fe:9 2620:fe::9 2620:fe::10 2620:fe::fe:10 2620:fe::11 2620:fe::fe:11
Here’s a list of doh servers:
Yeah I’ve seen that. No ip’s.
In a thread about DNS over HTTPS, I’ll leave the translation of domain names to ip addresses as an exercise to the reader.
I am only going to list the major providers. I highly doubt IoT devices will use any different.
If anyone wiresharks and finds alternate ip’s we can list those also.
Obviously anycast or dynamic ip’s could hinder my efforts if in use.
Perhaps a range ban with iptables would help with the above problem.
I have added the cloudflare ip’s to my iptables. Surprisingly the internet did not implode.
so if you’re current upstream provider switched to implementing DOH on the same IP who would you move too?
My current provider already does DOT on the same address. I choose Dot for my delivery method. This thread is more to focus on devices with hardcoded dns.
I bet I’m one of 10 or less people in this community using my provider. It’s semi-private. Well in the sense that you can’t find any info other than the website for it. Well maybe you can but I don’t speak German.
Before anyone asks why I would want to deal with a response time above 100ms (I’m in the US)…
Germany has some of the best privacy laws in the world.
a slightly less sledgehammer approach, which admittedly requires more user input, would be to block outbound requests to specific IPs from specified devices only.
Many people use the more generic DNS Ips from people like CLoudflare or Google or Level3
This is true there is usually not a clear-cut answer when we as users have specific use cases…
I have added some iptables to redirect all traffic on port 853 to an address of my choosing.
If anyone is interested I have a decent collection of iptables for dd-wrt. Just let me know what you are trying to accomplish.
Op contains new information
Let me drop this here:
@msatter added to Op