OPNsense Forum

English Forums => General Discussion => Topic started by: iammike on July 13, 2023, 12:06:42 pm

Title: Adguard and HTTPS queries
Post by: iammike on July 13, 2023, 12:06:42 pm

I have installed Adguard on my OpnSense router and it's working great, but it's not filtering HTTPS

For example if I do

Code: [Select]

nslookup facebook.com
Server:  OPNsense
Address:  10.0.10.1

Non-authoritative answer:
Name:    facebook.com
Addresses:  ::
          0.0.0.0
That works (whole of Facebook is blocked)

But if I go to facebook via the Browser (just type in facebook.com) it gets redirected to https:// and opens the page.

I have managed (with the Self Signed Cert of Opnsense) to enable Adguard HTTPS connection, but it's still not filtering HTTPS.

Any ideas

TiA

Title: Re: Adguard and HTTPS queries
Post by: Patrick M. Hausen on July 13, 2023, 01:09:13 pm

Are you sure your browser isn't bypassing your local recursive DNS server and using DoH?

AdGuard Home (?) only filters DNS requests and answers. Once the browser finds a valid IP address for Facebook, it will always be able to connect.

Title: Re: Adguard and HTTPS queries
Post by: CJ on July 13, 2023, 01:56:51 pm

DoH is probably the culprit.  I know it's enabled by default in FireFox.  Not sure about other browsers.

https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs

The other option could be that facebook was just blocked and it's still in the OS and/or app DNS cache.

Title: Re: Adguard and HTTPS queries
Post by: iammike on July 13, 2023, 02:37:01 pm

Quote from: CJRoss on July 13, 2023, 01:56:51 pm

DoH is probably the culprit.  I know it's enabled by default in FireFox.  Not sure about other browsers.

https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs

The other option could be that facebook was just blocked and it's still in the OS and/or app DNS cache.

DNS was flushed and OS cache removed (never visited facebook anyway)

I think I disabled DoH but will check and report back.

Title: Re: Adguard and HTTPS queries
Post by: iammike on July 14, 2023, 12:04:20 am

Update

Yes DoH was enabled and when disabled the Blocking of HTTPS works as well.

But that automatically leads to another question. How to block this? Or is that even possible?

I already made the NAT forward rule (for DNS) but apparently that seems to be not enough.

Suggestion and tips are more then welcome.

Title: Re: Adguard and HTTPS queries
Post by: cookiemonster on July 14, 2023, 10:29:15 am

Not via AdGuardHome, that is not one of its capabilities.
Zenarmor has an option to block DoH that you can try, even on the free version with a single policy.
I remember trying it but it led to some unwanted behaviour that might have been a combination with another setting but I haven't revisited it.

Title: Re: Adguard and HTTPS queries
Post by: CJ on July 14, 2023, 02:23:23 pm

There's two ways you can attempt to block DoH.  First is to add the dns entries of all the nameservers you can find to your DNSBL.  Second is to add the IPs of all the nameservers you can find to a firewall alias and block it.

There's some different lists out there but I can't speak to how comprehensive they are.  I'm using this one. https://public-dns.info/nameservers.txt

Title: Re: Adguard and HTTPS queries
Post by: iammike on July 15, 2023, 04:02:51 am

Quote from: CJRoss on July 14, 2023, 02:23:23 pm

There's two ways you can attempt to block DoH.  First is to add the dns entries of all the nameservers you can find to your DNSBL.  Second is to add the IPs of all the nameservers you can find to a firewall alias and block it.

There's some different lists out there but I can't speak to how comprehensive they are.  I'm using this one. https://public-dns.info/nameservers.txt

Thx a lot.

I found this link (but for PiHole) and that explains it

https://labzilla.io/blog/force-dns-pihole