To anyone in the know, is public-dns.info still actively updated? Thier last changelog entry is from 2020, and on the main front page the recent server last checked times all show 2 years ago. Thier Contact link also forwards to a different site.
If they aren't active anymore, is there another such actively updated public DNS server list that I can use in Opnsense as an alias for blocking purposes?
You could just port-forward port 53 to your own DNS instance to block any other DNS server instead of relying on incomplete lists of any kind.
Already have 53 and 853 blocked, and 53 forwarded. I'm more concerned about DNS over HTTP and supposedly that site also tracked DoH sites, and thier list was updated daily. Keyword there seeming to be "was". Even looking at the country listings shows everything lat being checked 2 or more years ago.
I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
Quote from: Mpegger on November 30, 2025, 11:10:54 PMI should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#bypass
HTH,
Patrick
Maybe I am just too dumb, but how can one use that with OpnSense to block DoH servers?
I know I can use hostname-based lists with the "URL Table (IPs)" alias type (which sound counter-intuitive), however, this obviously does not work with lists that contain, like *.domain.xyz.
Since not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.
Using the wildcard hostname lists in an Unbound DNS blocklist seems unintuitive, because one could use the hard-coded IP to circumvent it and it would also block other services that might be within the affected domains.
I think what you really want here is a list of IPs to block for port 443?
Quote from: meyergru on December 01, 2025, 03:06:35 PMSince not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com (https://cloudflare-dns.com/). Thus, it is not blocked.
Hagezi's list I linked to contains e.g. "cloudflare-dns.com^" which at least in AdGuard Home means "cloudflare-dns.com" and any subdomain thereof. So mozilla.cloudflare-dns.com is covered.
O.K., so you need AG Home on top. The column "Should be used for" for the lists suggests Unbound and OpnSense, but I fail to see how that works.
And that may also be circumvented by using the IP on itself, since AG Home is never asked.
P.S.: There is a "near-native" approach in Unbound's blocklists, but it uses the wildcard domains only. You do not even have to know the URL. The blocklist type has to be set to "[hagezi] DoH/VPN/TOR/Proxy Bypass", see https://github.com/opnsense/core/issues/8224 - however, it is not the RPZ type list that is being used, just the wildcard domains.
The list is available in different formats. The one for unbound looks like this:
cloudflare-dns.com CNAME .
*.cloudflare-dns.com CNAME .
Quote from: meyergru on December 01, 2025, 04:09:48 PMAnd that may also be circumvented by using the IP on itself, since AG Home is never asked.
My thoughts also. When I attempted to block DoH, I went looking for an IP list rather than a domain blocklist, assuming at least some clients will attempt to reach a DoH server directly without first resolving a hostname.
Quote from: keeka on December 01, 2025, 04:36:45 PMI went looking for an IP list rather than a domain blocklist
https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#bypass_ips
Not a single IPv6 in that list (as the comment already suggests) - but worse, the IPv4 ones used by Mozilla are not in that list, either:
Name: mozilla.cloudflare-dns.com
Address: 172.64.41.4
Name: mozilla.cloudflare-dns.com
Address: 162.159.61.4
Name: mozilla.cloudflare-dns.com
Address: 2a06:98c1:52::4
Name: mozilla.cloudflare-dns.com
Address: 2803:f800:53::4
The RPZ-type lists could be used in Unbound, but there is no automation in OpnSense.
So, now I got a current list: https://github.com/dibdot/DoH-IP-blocklists
You can use it like so to block DoH requests going outside:
1. Create two "URL table in JSON format (IP)" type aliases with a refresh time of ~ one day and ".[]" as the JSON path expression:
DoH_IPv4 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.json"
DoH_IPv6 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.json"
plus a "Ports" type alias - because some DoH services are offered on alternate ports as well:
DoH_Ports with content "53 80 443 453 853 8053".
2. Create one inbound block floating rule for IPv4 on your LAN interfaces using DoH_IPv4 and one for IPv6 using DoH_IPv6, both with the target port alias DoH_Ports and for TCP/UDP. These rules should apply to whatever interface(s) you want to block DoH on.
You can check effectiveness by using DoH in your browser, which should fail after a timeout.
This is indeed a maintained source of DoH servers i use as well.
You also could add this rule to apply to TCP traffic on these ports only, since DoH uses TCP.
I would use TCP and UDP because of HTTP/3 (QUIC). The list includes IPv6 and also lists mozilla.cloudflare-dns.com.
What would be wrong with blocking these IP addresses entirely? Surely no provider of DoT/DoH would be running other vital services on the same servers? Would they? :-)
Looking at the list, I am not so sure. When you use an IP list, it might be safe to do so - with a wildcard list, I am unsure.
Take cubedns.com (or ptentially, any DoH service that uses only one dot in their name): they have their website on the same URL (and IP). Then again, by blocking port 443 - which you must, it will not work, anyway. At least, you could send them an E-Mail, I guess ;-)
Cloudflare was savvy enough to use a separate domain for DNS.
It is interesting what you can find when you block these things:
- I found HomeAssistant OS using Cloudflare despite being told to use my internal DNS (there is a trick to disable that: https://kcore.org/2022/08/12/hass-disable-fallback-dns/).
- Also, I caught some of my IoT devices using external NTP services - this included Apple TVs. By redirecting to the local NTP, I could make that go away.
On the other hand, I never trusted those anyway, hence why they are on a separate VLAN.
I am pondering adding the linked "dibdot" IP lists to my global IP based blocklist rules. I'll give it a try, I guess.
For domain based blocking I use AGH and mostly Hagezi's lists.
@meyergru
I block QUIC totally by blocking all UDP traffic on ports 80 and 443.
In that case you are losing potential speed on many modern websites.
I didn't even know that DoH used that many ports. I thought it was just the typical 80 and 433. I'll give it a whirl and see how it work on my network. Thanks.