Adguard and HTTPS queries

[iammike]

I have installed Adguard on my OpnSense router and it's working great, but it's not filtering HTTPS

For example if I do

Code: [Select]

nslookup facebook.com
Server:  OPNsense
Address:  10.0.10.1

Non-authoritative answer:
Name:    facebook.com
Addresses:  ::
          0.0.0.0
That works (whole of Facebook is blocked)

But if I go to facebook via the Browser (just type in facebook.com) it gets redirected to https:// and opens the page.

I have managed (with the Self Signed Cert of Opnsense) to enable Adguard HTTPS connection, but it's still not filtering HTTPS.

Any ideas

TiA

[Patrick M. Hausen]

Are you sure your browser isn't bypassing your local recursive DNS server and using DoH?

AdGuard Home (?) only filters DNS requests and answers. Once the browser finds a valid IP address for Facebook, it will always be able to connect.

[CJ]

DoH is probably the culprit.  I know it's enabled by default in FireFox.  Not sure about other browsers.

https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs

The other option could be that facebook was just blocked and it's still in the OS and/or app DNS cache.

[iammike]

DoH is probably the culprit.  I know it's enabled by default in FireFox.  Not sure about other browsers.

https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs

The other option could be that facebook was just blocked and it's still in the OS and/or app DNS cache.

DNS was flushed and OS cache removed (never visited facebook anyway)

I think I disabled DoH but will check and report back.

[iammike]

Update

Yes DoH was enabled and when disabled the Blocking of HTTPS works as well.

But that automatically leads to another question. How to block this? Or is that even possible?

I already made the NAT forward rule (for DNS) but apparently that seems to be not enough.

Suggestion and tips are more then welcome.

[cookiemonster]

Not via AdGuardHome, that is not one of its capabilities.
Zenarmor has an option to block DoH that you can try, even on the free version with a single policy.
I remember trying it but it led to some unwanted behaviour that might have been a combination with another setting but I haven't revisited it.

[CJ]

There's two ways you can attempt to block DoH.  First is to add the dns entries of all the nameservers you can find to your DNSBL.  Second is to add the IPs of all the nameservers you can find to a firewall alias and block it.

There's some different lists out there but I can't speak to how comprehensive they are.  I'm using this one. https://public-dns.info/nameservers.txt

[iammike]

There's two ways you can attempt to block DoH.  First is to add the dns entries of all the nameservers you can find to your DNSBL.  Second is to add the IPs of all the nameservers you can find to a firewall alias and block it.

There's some different lists out there but I can't speak to how comprehensive they are.  I'm using this one. https://public-dns.info/nameservers.txt

Thx a lot.

I found this link (but for PiHole) and that explains it

https://labzilla.io/blog/force-dns-pihole