Only contact to firebog.net via DNS over HTTPS

Felixdk · January 27, 2025, 2:03pm

Hello,

I've been using the latest version of Pi-Hole and it works perfectly. However, there is one simple thing that bothers me.

The setup is that all clients point to PI-Hole as the DNS server. PFsense is closed, so it is not possible to look up DNS without going through Pi-Hole.

In PFsense, I have some time ago made a DoH rule that blocks DNS over HTTPS. It is a list that is updated continuously.

Not so long ago I see that Pi-Hole does not update the lists from v.firebog.net, and read about the problems that were from years ago. Now I am using the latest 64 bit version of Pi-Hole, so that problem is not relevant in this case.

It turns out that my blocking in PFsense of DoH prevents the Pi-Hole from accessing firebog.net.
I then make a rule that specifically allows Pi-Hole access to DoH ip, and now all the block lists from the firebog are updated as they should.

So far so good.

When I try to access firebog.net in a browser that is set to NOT use DNS over HTTPS, I don't get a connection.
That confuses me. Pi-Hole has access to everything, and should do a proper DNS lookup. But it doesn't work.

Only if I in PFsense allow everyone access to DNS over HTTPS IP (DoH) then I get a correct firebog.net connection in Firefox.

But the Firefox that I use in this case (and other browsers I've tried) is set to NOT use DoH, only local Pi-Hole.

What is it that makes firebog.net can only be accessed when there is no DoH blocking in PFsense?

In PFsense, it is set up to query DNS (from Pi-hole) via 1.1.1.1 over port 853.

It's only firebog.net I've noticed that has the problem, every other place I visit on the web works perfectly, and Pi-Hole does the job just fine.

Bucking_Horn · January 27, 2025, 3:57pm

You should probably verify what that rule really does (and I also wonder how you went about blocking DoH in any case).
Pi-hole does not speak DoH at all, so it would never attempt to resolve a domain via DoH.

You should also be aware that DoH hides within HTTPS data streams, which use port 443.
If you'd blocked port 443 indiscriminately, then you would not be able to access any site via HTTPS anymore.

The most common approach to block DoH would probably be to block a list of known DoH servers, either by IP or by domain.
If you follow that approach, you should probably check your DoH lists whether they would accidentally contain firebog.net domains and/or IPs.

Felixdk · January 27, 2025, 4:41pm

Fact:
Pi-Hole cannot update v.firebog.net lists if the following rules are active:

I then make an exception so that Pi-Hole has access to the IPs in the list. Then the v.firebog lists can be updated.

We can conclude that there are some IPs in that list that are vital for access to
v.firebog.net.

When we now conclude that Pi-Hole cannot handle DoH requests and the browser is set up not to use DoH, it seems strange that DoH must be available to make contact.
But as I said, my suspicion is that there is an IP in that list that prevents access to v.firebog.net. Maybe it's not something with DoH but that an IP has crept into the list that causes the problem.

I would appreciate it if others reading this can give me some thoughts on what it might be. ;o)

Bucking_Horn · January 27, 2025, 4:51pm

I'd suspect that DoH isn't involved, but your DoH list is simply blocking an IP/domain that either shouldn't be blocked or cannot be blocked without also blocking wanted contents.

EDIT:
Searching for IPs has confirmed my suspicion:

$ dig +short firebog.net
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

Instead of allowing firewall clients to bypass your DoH rule, you could consider to either remove those IPs from the list, or explicitly allow them in your firewall.
/EDIT

You should consider to bring this to the attention of the DoH list's maintainer.

Felixdk · January 27, 2025, 5:08pm

Thank you very much for your help here. Hopefully others can learn from this as I have learned from others' posts.
Our dialog here has tracked me down to what has been bugging me the last few days.
If you look up firebog.net, you see that it is embedded in cloudflare.com, and thus in their IP, which clarifies and confirms what you mention.

It almost drove mine crazy, I couldn't make it fit.
By the way, THANK YOU for vi Pi-Hole, it makes everyday life safer and faster.