DNS over HTTPS - any way to block?

Started by chemlud, March 28, 2019, 03:08:12 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 10, 2019, 02:56:00 PM #15
I think you have to change the value to 5 to complete disable DoH on mozilla browser
Code Select
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

I saved the list and used good old and slow method with gedit to search and replace strings and end result with IPv4 and dns I imported in an alias.

April 10, 2019, 03:00:21 PM #16 Last Edit: April 10, 2019, 03:46:48 PM by chemlud
yepp, you're right, "5" is the better option. And I removed the trr.uri as well...

Sure IPv4 is enough? Although I disabled IPv6 completely, I see IPv6 adresses, routes etc all over the place in my senses...

PS: in 60.6.1 ESR the option "5" kills off DNS completely for FF, no pages can be loaded at all. Strange...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 10, 2019, 05:27:56 PM #17 Last Edit: April 10, 2019, 05:40:22 PM by 3kj2w
No problems with option 5 on my Linux with Firefox Quantum 66.0.2.

I also disabled IPV6 on my firewalls and more than this I also tampered with source and deleted any IPv6 port opening, listening, reference ...

here it is another sources for DoH:
Code Select
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
https://en.wikipedia.org/wiki/Public_recursive_name_server

here it is my first list I use, feel free to change, correct, add:
Code Select
# Public resolvers list with DoH 10-04-2019 v0.0.1 LLC
dns-gcp.aaflalo.me
35.231.69.77

dns.aaflalo.me
176.56.236.175

176.103.130.132
176.103.130.130

dns-family.adguard.com
176.103.130.132

dns.adguard.com
176.103.130.130

139.59.16.130

178.128.255.28

dns.dnscrypt-tupi.org
191.252.100.35

139.59.48.222

51.15.106.176

208.67.220.220
208.67.220.123

185.228.168.10
185.228.168.168
185.228.168.9

dns.cloudflare.com
1.1.1.1
1.0.0.1

commons.host

8.20.247.2

77.51.181.209

81.17.31.34

128.127.104.108

213.163.64.208

185.107.80.84

185.117.118.20

5.133.8.187

185.212.169.139
185.94.193.234

212.129.46.32

195.154.40.48

109.71.42.228

103.16.27.53

5.254.96.195

178.175.139.211

109.248.149.133

82.163.72.123

84.16.240.43

89.163.214.174

162.221.207.228

167.114.84.132

173.234.159.235
173.234.56.115

104.238.195.139

64.120.5.251

198.7.58.227

209.58.147.36

64.42.181.227

155.254.29.113

23.19.67.116

104.255.175.2

93.95.226.165

41.79.69.13

209.250.235.170

199.167.130.118
199.167.128.112

77.66.84.233

176.56.237.171

167.86.90.103

45.76.35.212

doh.dnscrypt.nl
108.61.199.170

139.59.200.116

108.61.201.119

159.69.198.101

doh2.dnswarden.com
159.69.16.58

doh1.dnswarden.com
94.130.183.18

doh-de.blahdns.com
159.69.198.101

doh-jp.blahdns.com
108.61.201.119

doh.cleanbrowsing.org

doh.crypto.sx
104.28.0.106

ibksturm.synology.me
178.82.103.5

23.111.74.216
23.111.69.126

205.185.116.116

edns.233py.com
47.101.136.37

wdns.233py.com
118.24.208.197

sdns.233py.com
119.29.107.85

ndns.233py.com
114.115.240.175

dns.google.com
216.58.215.110

jp.gridns.xyz
172.105.241.93

sg.gridns.xyz
139.162.3.123

178.82.103.5

149.28.152.81

doh.tiar.app
45.32.105.4

194.132.32.32

180.131.144.144

195.10.195.195

142.4.204.111
142.4.205.47

doh.powerdns.org
136.144.215.158

doh.seby.io
45.76.113.31

106.51.128.78

dns.quad9.net
149.112.112.112

dns9.quad9.net
9.9.9.9
9.9.9.10
149.112.112.9
149.112.112.10

173.82.232.232

dns.rubyfish.cn
118.89.110.78

ea-dns.rubyfish.cn

uw-dns.rubyfish.cn

212.47.228.136

146.185.167.43

doh.securedns.eu
146.185.167.43

163.172.180.125

178.216.201.222

51.158.106.42

37.221.195.181

107.170.57.34

77.88.8.78

5.189.170.196

151.80.222.79

78.47.64.161

mozilla.cloudflare-dns.com
104.16.249.249

cloudflare-dns.com
104.16.111.25

doh.dns.sb
185.222.222.222
185.184.222.222

dns.dnsoverhttps.net
104.236.178.232

dns.dns-over-https.com
45.77.124.64

doh.appliedprivacy.net
37.252.185.229
April 10, 2019, 07:06:52 PM #18 Last Edit: April 10, 2019, 07:10:09 PM by chemlud
Wow, an IPv6-free opnsense! Nice project, others would be interested, too, I guess ;-)

Is there an easy way to close ports on opnsense for IPv6 DHCP and other stuff apparently running?

I added some more (some are DNS over TLS (too))

Code Select
# Public resolvers list with DoH 10-04-2019 v0.0.1 LLC

#Surfnet
145.100.185.15
145.100.185.16
145.100.185.17
145.100.185.18

dns.larsdebruin.net
51.15.70.167

securedns.eu

dns-tls.bitwiseshift.net
81.187.221.24

ns1.dnsprivacy.at
94.130.110.185

ns2.dnsprivacy.at
94.130.110.178

dns.bitgeek.in
139.59.51.46

#Lorraine Data Network
80.67.188.188

dns.neutopia.org
89.234.186.112

#Tenta
99.192.182.200

66.244.159.200

99.192.182.100

66.244.159.100

dns.233py.com

#DNS Warden
116.203.70.156

116.203.35.255
getdnsapi.net
185.49.141.37

#UncensoredDNS
89.233.43.71

#Fondation RESTENA
158.64.1.29

dns.google.com/resolve
216.58.214.110

dns-gcp.aaflalo.me
35.231.69.77

dns.aaflalo.me
176.56.236.175

176.103.130.132
176.103.130.130

dns-family.adguard.com
176.103.130.132

dns.adguard.com
176.103.130.130

139.59.16.130

178.128.255.28

dns.dnscrypt-tupi.org
191.252.100.35

139.59.48.222

51.15.106.176

208.67.220.220
208.67.220.123

185.228.168.10
185.228.168.168
185.228.168.9

dns.cloudflare.com
1.1.1.1
1.0.0.1

commons.host

8.20.247.2

77.51.181.209

81.17.31.34

128.127.104.108

213.163.64.208

185.107.80.84

185.117.118.20

5.133.8.187

185.212.169.139
185.94.193.234

212.129.46.32

195.154.40.48

109.71.42.228

103.16.27.53

5.254.96.195

178.175.139.211

109.248.149.133

82.163.72.123

84.16.240.43

89.163.214.174

162.221.207.228

167.114.84.132

173.234.159.235
173.234.56.115

104.238.195.139

64.120.5.251

198.7.58.227

209.58.147.36

64.42.181.227

155.254.29.113

23.19.67.116

104.255.175.2

93.95.226.165

41.79.69.13

209.250.235.170

199.167.130.118
199.167.128.112

77.66.84.233

176.56.237.171

167.86.90.103

45.76.35.212

doh.dnscrypt.nl
108.61.199.170

139.59.200.116

#BlahDNS
108.61.201.119

159.69.198.101

doh2.dnswarden.com
159.69.16.58

doh1.dnswarden.com
94.130.183.18

doh-de.blahdns.com
159.69.198.101

doh-jp.blahdns.com
108.61.201.119

doh.cleanbrowsing.org

doh.crypto.sx
104.28.0.106

ibksturm.synology.me
178.82.103.5

23.111.74.216
23.111.69.126

205.185.116.116

edns.233py.com
47.101.136.37

wdns.233py.com
118.24.208.197

sdns.233py.com
119.29.107.85

ndns.233py.com
114.115.240.175

dns.google.com
216.58.215.110

jp.gridns.xyz
172.105.241.93

sg.gridns.xyz
139.162.3.123

178.82.103.5

149.28.152.81

doh.tiar.app
45.32.105.4

194.132.32.32

180.131.144.144

195.10.195.195

142.4.204.111
142.4.205.47

doh.powerdns.org
136.144.215.158

doh.seby.io
45.76.113.31

106.51.128.78

dns.quad9.net
149.112.112.112

dns9.quad9.net
9.9.9.9
9.9.9.10
149.112.112.9
149.112.112.10

173.82.232.232

dns.rubyfish.cn
118.89.110.78

ea-dns.rubyfish.cn

uw-dns.rubyfish.cn

212.47.228.136

146.185.167.43

doh.securedns.eu
146.185.167.43

163.172.180.125

178.216.201.222

51.158.106.42

37.221.195.181

107.170.57.34

77.88.8.78

5.189.170.196

151.80.222.79

78.47.64.161

mozilla.cloudflare-dns.com
104.16.249.249

cloudflare-dns.com
104.16.111.25

doh.dns.sb
185.222.222.222
185.184.222.222

dns.dnsoverhttps.net
104.236.178.232

dns.dns-over-https.com
45.77.124.64

doh.appliedprivacy.net
37.252.185.229

Source:

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

https://www.privacy-handbuch.de/handbuch_93.htm

PS: do you simply copy/paste the list to an Alias? I never tried IIRC...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2019, 09:08:20 AM #19
I was looking into this issue this morning and came across this: https://github.com/bambenek/block-doh

Do you think this approach could help control DoH?
August 25, 2019, 10:06:05 PM #20
I think in this way the race can hardly be won. Blocking lists are a nice start, but who will keep them up-to-date. No idea how to filter DoH traffic efficiently... :-(
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
October 30, 2020, 01:55:08 PM #21
I realise this is an older topic, but starting from the public resolver list https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json, you could these commands as a cron job:

Code Select
curl -sk https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json| jq '.[].addrs' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"| sort -n| uniq > /tmp/public_resolvers; pfctl -t public_resolvers -T replace -f /tmp/public_resolvers

(untested)

(jq syntax stolen from https://community.checkpoint.com/t5/Next-Generation-Firewall/How-to-deal-with-DNS-over-HTTPS-DNS-over-TLS-QUIC-and-PSOM/td-p/11528)
October 30, 2020, 02:07:22 PM #22
I'd forgotten about this thread, I've been using a firewall alias:
October 30, 2020, 04:42:45 PM #23
Could you share the URL you're using as a source?
October 30, 2020, 05:00:43 PM #24
Print
Go Up Pages 1 2
User actions