OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: cake on January 16, 2023, 04:35:46 am
-
Been pulling my hair trying to figure out why my test phone is getting dns after I blocked port 53 completely.
Turns out it has a setting "Private DNS" that activates itself once in a while.
Does anyone know if there is a github list that publishes a list of know ip address that run dns over https?
I want my dnscrypt to handle all dns queries, port forward anything on 53 to 5353. Unbound is doing this and port forwarding is also sending port 53 traffic to dnscrypt. My problem is that google and other data mining companies are running https dns resolvers. Firefox and other browsers are defaulting to using this and sending the dns to their buddies resolvers. I want to block these devices on my network that are bypassing my dns settings.
Sorry if this is hard to follow. I keep getting browser updates on computers and the updates change settings that I previous set. They are bypassing my dns even though I block outbound port 53 and port forward 53 to 5353 where dnscrypt is listening. Lets just say I don't think mozzarella, khrome, or edge is on my side and I don't want them getting list of dns lookups from my network. Someone must have a list like the no ads ones on github.
-
Looked like I did not search hard enough, scored a nice one already.
Going to add it to the other lists (ads, tracking/phishing, microsoft, social media lists .....)
Here if anyone else is interested.
https://github.com/oneoffdallas/dohservers
Hopefully this stops devices in my network from circumventing my dnscrypt settings.
-
In addition to the one of dallas list I am using the following:
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt
https://raw.githubusercontent.com/neargle/public-dns-list/master/all.txt
https://public-dns.info/nameservers-all.txt
https://raw.githubusercontent.com/pallebone/TheGreatWall/master/TheGreatWall_ipv4
https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt
And on top some custom DNS servers that are/were not content of the other lists:
chrome.cloudflare-dns.com
mozilla.cloudflare-dns.com
doh.opendns.com
doh.dns.sb
185.222.222.222
185.184.222.222
2a09::
2a09::1
2a07:a8c0::89:ec71
2a07:a8c1::89:ec71
dns.nextdns.io
None of them is regarding DoQ, which will be a challenge for the future...
-
Wow thanks for the list tiermutter. I did a nslookup on the manually entered ones.
mozilla.cloudflare-dns.com
doh.opendns.com
doh.dns.sb
Those are listed in this one-> https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt
Incidentally I had to disable the Aliases check box hit save and then click box to re-enable in order for the new list to be populated. (hope that helps someone) 2,400+ DNS over https servers (DoH) all together.
I got my system to work. I can't ping 8.8.8.8 anymore and a device that has 8.8.8.8 for dns manually set goes through dnscrypt according to https://ipleak.net/
The only thing that bothers me is all the queries in the dnscrypt logging tab now say 127.0.0.2 or 192.168.0.4 (where dnscrypt is listening), so I have to look at unbound to see what device is making any questionable queries.
If anyone is going to work on their system I suggest disabling dns cache everywhere you can before you start. Your machine, your browser, unbound.... lol I see there is some tutorials but most are a bit stale. I could make one and post it here if there is interest.
cheers everyone