Blocking DoH

[peat588]

Hello,

It seems at least Firefox is moving to enable DNS over HTTPS by default. This creates problems on our network so I'm looking for ways to block DoH traffic. I'm wondering if someone already found a reliable way of blocking this type of traffic in OPNsense.

So far I figured I can overwrite mozilla.cloudflare-dns.com in our DNS and try to block all associated ip adresses. This could end up a game of whack a mole if they keep changing the ip addresses.

Many thanks for any insight on this in advance,

[fabian]

As far as I can remember Mozilla works on this together with Cloudflare which has the IP 1.1.1.1 for its resolvers. You can probably just block the destination IP(-range) however I cannot tell you how the final version of DoH in Firefox will look like. In worst case you can still block it via the proxy.

[peat588]

Thank you for your answer, right now mozilla.cloudflare-dns.com resolves to the following, this can change anytime.

Code Select Expand


mozilla.cloudflare-dns.com has address 104.16.111.25
mozilla.cloudflare-dns.com has address 104.16.112.25
mozilla.cloudflare-dns.com has IPv6 address 2606:4700::6810:6f19
mozilla.cloudflare-dns.com has IPv6 address 2606:4700::6810:7019


If other browsers jump on the DoH bandwagon this can become more problematic.

Using a proxy could be a solution, I need to research that to see if it can work.