Blocked that hard-coded google dns garbage.

  • Silejonu@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    I suspect DoT and DoH still go through, though? I mean you can always block the port 853 for DoT, but DoH is another story.

    • jubilationtcornpone
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.

      Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.

      • blackstrat@lemmy.fwgx.uk
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        How do you block the DoH servers in the pihole? Pihole is a DNS server, devices using a third party DoH server would just bypass the pihole as they’re using the IP of the DoH with no DNS lookup required. No?

        To block DoH I think you need to block it at the firewall level with a list of blocked IPs for the DoH servers you want to block over 443

        • jubilationtcornpone
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You’re probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won’t be able to use DoH.

      • Silejonu@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I see. I may try to do something similar but towards Unbound on my OPNSense router, if that’s possible.

    • jemikwa@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Yeah you’d need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
      A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level