Adblock and DNS-over-HTTPS?

The_Hitman · August 4, 2020, 10:56am

Hello,
I noticed that when using D-o-H, which already is used by default in some Android clients and activated with an option in Mozilla Firefox, hosts don't longer get blocked. I can probably assume that it's mechanism is being able to bypass the default 192.168.1.1 gateway/dns of the router and still go and resolve the site.

Problem is, well, the privacy concern.

For instance here, I want to block reddit.com, when DOH is enabled the host stil resolves:

Now, if I use banIP and do a simple ping query for it's ipv4 and 6 addresses and add that to the blacklist, ̶t̶h̶e̶ ̶s̶i̶t̶e̶ ̶w̶i̶l̶l̶ ̶g̶e̶t̶ ̶b̶l̶o̶c̶k̶e̶d̶ ̶a̶g̶a̶i̶n̶.̶ ̶B̶u̶t̶ ̶o̶n̶l̶y̶ ̶i̶f̶ ̶t̶h̶o̶s̶e̶ ̶I̶P̶'̶s̶ ̶r̶e̶m̶a̶i̶n̶ ̶t̶h̶e̶ ̶s̶a̶m̶e̶.̶ ̶W̶h̶i̶c̶h̶ ̶f̶o̶r̶ ̶t̶h̶e̶s̶e̶ ̶l̶a̶r̶g̶e̶ ̶s̶i̶t̶e̶s̶,̶ ̶w̶i̶l̶l̶ ̶n̶o̶t̶ ̶h̶a̶p̶p̶e̶n̶.̶. Nope, still appears! Probably hidden ipv6 domain discoverable only through packet sniffing. Or Mozilla doing a proxy.

Therefore I can not reliably use banIP to block hosts.

What can I do in this case. Is there a way for Adblock to also block over DOH?

Thank you

vgaetera · August 4, 2020, 11:07am

When client uses DNS encryption, i.e. DoH/DoT/DNSCrypt/etc., you can't interfere in its DNS traffic.
You can only try to make the client stop using DNS encryption by blocking major public DNS providers.

The_Hitman · August 4, 2020, 4:52pm

Got it. So in this more mainstream instance they appeal to using one of those major public DNS providers, something that I later found Mozilla shows themselves: https://user-media-prod-cdn.itsre-sumo.mozilla.net/uploads/gallery/images/2020-01-27-04-57-04-656e0a.png This is, in my opinion, probably even less private to force it down like that, but eh...

I blocked the IP addresses of those providers in banIP and that website is blocked again, forces a fallback to 192.168.1.1 where the host was blocked in Adblock. Not pretty but it works.

I'm wondering now, can there be implemented a DoH/DoT/DNSCrypt client in OpenWrt itself, to act as a local spoofed DNS? (There is a box to specify DNS provider, and maybe there can be put 192.168.1.1 or ipv6 gateway address)

vgaetera · August 4, 2020, 4:59pm

Yes, you can intercept plain DNS traffic, filter it with Adblock and then encrypt with DoH/DoT/DNSCrypt.

The_Hitman · August 4, 2020, 5:34pm

That sounds about right, will try it soon but I will probably use an OpenNIC DoH public server (https://servers.opennic.org/) instead of Cloudflare and Google to connect to. That's just me
I have two concerns though that I didn't understand:

So after "DNS hijacking", I then configure "DNS over HTTPS with Dnsmasq and https-dns-proxy", at the bottom of the second page it says "Beware of race condition with Adblock service." Are there any extra steps to get the hosts blocking to work?
For instance in Mozilla Firefox, if DoH is on, it will still connect to Cloudflare or whatever it is using. Do I type in the custom provider box, the same provider as selected for OpenWrt and it will automatically intercept the traffic and filter it for hosts rules? Or do I specify 192.168.1.1 as a custom DoH provider? Does it work like that?

Thanks

vgaetera · August 4, 2020, 6:20pm

That extra step is optional and useful only in some rare cases, e.g. when you run a proxy server on OpenWrt, otherwise you can safely skip it.

Just disable DoH in the browser, or block it on the router if there's no other way.
When the browser can't use DoH, it should rollback to plain DNS from the OS.

system · August 14, 2020, 6:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.