When combining Pi-Hole with pixelserv-tls , the encrypted blocked connections can be answered by an HTTPS server instead of being completely dropped (
The way this works is that pixelsrv-tls generates a certificate dynamically that will match the Server Name sent in the SNI extension, which should end up passing verification by the client (if the CA used to generate such certificates is trusted).
With ESNI (Encrypted Server Name Indication) that is now getting tested by CloudFlare and Mozilla, the client sends the server name encrypted so pixelsrv would be unable to generate a matching certificate.
While the connection will ultimately be blocked, the browser will attempt to establish such connections until it ultimately fails.
What would be great is if for blocked domains, there could be an option to also block the corresponding ESNI record. Right now this could mean answering with NXDOMAIN to _esni.blocked.domain.
It might be safe enough to enable by default when responding with an IP (BLOCKINGMODE=IP or IP-NODATA-AAAA)
Dropping all ESNI records with a regex is not an option as that would impact non-blocked domains.
While this is obviously the very beginning of this spec, I anticipate browser support to pick up soon. Both Firefox and Safari have preliminary implementations. And since CloudFlare supports basically 10% of internet traffic, I’m sure there are some commonly blocked domains already supporting this.