That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.
Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.
How do you block the DoH servers in the pihole? Pihole is a DNS server, devices using a third party DoH server would just bypass the pihole as they’re using the IP of the DoH with no DNS lookup required. No?
To block DoH I think you need to block it at the firewall level with a list of blocked IPs for the DoH servers you want to block over 443
You’re probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won’t be able to use DoH.
Yeah you’d need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level
I suspect DoT and DoH still go through, though? I mean you can always block the port 853 for DoT, but DoH is another story.
That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.
Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.
How do you block the DoH servers in the pihole? Pihole is a DNS server, devices using a third party DoH server would just bypass the pihole as they’re using the IP of the DoH with no DNS lookup required. No?
To block DoH I think you need to block it at the firewall level with a list of blocked IPs for the DoH servers you want to block over 443
You’re probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won’t be able to use DoH.
I see. I may try to do something similar but towards Unbound on my OPNSense router, if that’s possible.
Yeah you’d need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level