OPNsense Forum
English Forums => General Discussion => Topic started by: 9axqe on May 09, 2023, 06:15:49 pm
-
Hello,
I'm trying to force every device to use adguard internally and wanted to block access to known DoH providers. (I already blocked UDP/TCP port 53, TCP 853 and UDP 8853)
I found a couple of lists online:
https://github.com/dnscrypt/dnscrypt-resolvers
I plan to extract all IPs and put this into one or multiple firewall aliases. Does someone have a better ideas?
-
I just created a DoH url list which I host online and then used the DNSBL custom feature to point to the URL.
It's not a perfect solution but it takes care of the main known resolvers.
-
Thanks for the suggestion, I opted for creating the list manually and locally and simply paste everything into the field in the alias config page of opnsense. I considered the URL but if I'm going to maintain it manually anyway, it's yet another thing which can break – I'm a keep-it-simple kind of person =)
-
I use a url because I use some cli piping to convert online lists into ones that work with OPNSense. Right now I probably have 100 or so doh servers in there.
That's way too many for me to manually add via the UI. And hosting a url is much easier than learning the OPNSense api. :)
-
make sense, I agree. I have smaller ambitions, I have a small list of 30-50 IPs, the most well known ones.
-
How are you deciding on which ones to block? Right now I convert one of the pfsense lists but I need to put together a script to convert some of the other lists I've seen online.
-
Me? I just did an internet search for "what are the best doh providers" and looked up the IPv4 and v6 of the top 15 ones.
-
Ah, okay. I wonder if I should actually formalize my scripts and write up a blog post about it.
It would be nice if we could just use cron to handle the update but I don't believe there's a way to get the blocklist to look at a local file.
-
I followed this guide.
https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
Scroll down to Create IP list part of the guide
It is written for PFsense but works with OPNSense.
Cheers,
-
I followed this guide.
https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
Scroll down to Create IP list part of the guide
It is written for PFsense but works with OPNSense.
Cheers,
There'e no need to specify a server list when using DoT as it uses a specific port the same way DNS does. DoH uses HTTPS so it does need a list.
That said, the public dns ip list is new to me, so I'll definitely take a look at it. If it works well I'll add a part 3 to my guide with it and the new unbound reporting.
Thanks.
-
I followed this guide.
https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
The list of DoH providers linked in this article includes wrong IPs, private IPs such as 192.168.1.1 for example, I got lucky there was a failsafe otherwise I would have locked myself out...
You can check for yourself: http://public-dns.info/nameservers-all.txt
I would not recommend using this list.
-
I followed this guide.
https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
The list of DoH providers linked in this article includes wrong IPs, private IPs such as 192.168.1.1 for example, I got lucky there was a failsafe otherwise I would have locked myself out...
You can check for yourself: http://public-dns.info/nameservers-all.txt
I would not recommend using this list.
It appears that the valid nameservers list doesn't have private ips on it like the all nameservers list. I'll have to diff them to see what the differences are.
-
Do you mean http://public-dns.info/nameservers.txt ?
-
Do you mean http://public-dns.info/nameservers.txt ?
Yes. That is the one I was referring to. All of the servers on that list have been validated by the criteria listed on the homepage.