*SOLVED* DOH dns over https - blocking at router level

So I use nextDNS or open dns

This is easily circumvented by firefoxes "use dns over https" which then points out to coudflare or other dns even though i have forced DNS to my filtered provider.

Is there a way to either block doh/dns over https, and force only regular dns or is there a way to block contact to these dns providers?

i have ip tables i could add to, i already block all manner of vpn ports.

im only finding info online about using https dns - not stopping it.

if the kids change their local firefox settings to use dns over https then they bypass my filters

thanks

You can disable DoH in the browser settings.

https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_manually-enabling-and-disabling-dns-over-https

1 Like

Think you missed the point

Kids are enabling this to get around dns protection

Think you weren't describing the issue well enough :stuck_out_tongue:

I still think the canary domain is checked https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

however

Note: The canary domain only applies to users who have DoH enabled as the default option. It does not apply for users who have made the choice to turn on DoH by themselves.
1 Like

I have had the same Problem with DOH. You need a List of IPs like these:
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv6.txt
and then put the IPs into an ipset list and finally you can block this via iptables.
ipset create blacklist4 hash:ip
while read line
do
ipset add blacklist4 "$line"
done < /tmp/file_from_website
iptables -A forwarding_lan_rule -m set --match-set blacklist4 dst -j reject

1 Like

this sounds prmising.
Can you put this in laymens terms?

does this mean i could use adblock on the router and block that domain? then dph wouldnt enable?

or is the last bit saying it wont work

It works, but the last bit is saying only when the user haven't manually enabled it, then the check isn't performed

ah. they have so we look on

I guess you could try block all DoH providers :wink:

i think that list (As ip6 isnt enabled) would be fine, get that in ip tables job done.

banIP support thread looks promising
install banip then the luci plugin

Problem SOLVED.

Installed banip, and luci web front end, added the list of DoH IP's prblem solved in a newbie fashion
thanks for the info guys!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.