Is public-dns.info still actively updated? Any alternative?

Started by Mpegger, November 30, 2025, 08:39:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 30, 2025, 08:39:01 PM
To anyone in the know, is public-dns.info still actively updated? Thier last changelog entry is from 2020, and on the main front page the recent server last checked times all show 2 years ago. Thier Contact link also forwards to a different site.

If they aren't active anymore, is there another such actively updated public DNS server list that I can use in Opnsense as an alias for blocking purposes?
November 30, 2025, 09:42:27 PM #1
You could just port-forward port 53 to your own DNS instance to block any other DNS server instead of relying on incomplete lists of any kind.

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 30, 2025, 11:10:54 PM #2
Already have 53 and 853 blocked, and 53 forwarded. I'm more concerned about DNS over HTTP and supposedly that site also tracked DoH sites, and thier list was updated daily. Keyword there seeming to be "was". Even looking at the country listings shows everything lat being checked 2 or more years ago.

I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
Today at 09:20:51 AM #3
Quote from: Mpegger on November 30, 2025, 11:10:54 PMI should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?

https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#bypass

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 03:06:35 PM #4 Last Edit: Today at 04:35:47 PM by meyergru
Maybe I am just too dumb, but how can one use that with OpnSense to block DoH servers?

I know I can use hostname-based lists with the "URL Table (IPs)" alias type (which sound counter-intuitive), however, this obviously does not work with lists that contain, like *.domain.xyz.

Since not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.

Using the wildcard hostname lists in an Unbound DNS blocklist seems unintuitive, because one could use the hard-coded IP to circumvent it and it would also block other services that might be within the affected domains.

I think what you really want here is a list of IPs to block for port 443?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 03:26:07 PM #5
Quote from: meyergru on Today at 03:06:35 PMSince not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.

Hagezi's list I linked to contains e.g. "cloudflare-dns.com^" which at least in AdGuard Home means "cloudflare-dns.com" and any subdomain thereof. So mozilla.cloudflare-dns.com is covered.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 04:09:48 PM #6 Last Edit: Today at 04:40:19 PM by meyergru
O.K., so you need AG Home on top. The column "Should be used for" for the lists suggests Unbound and OpnSense, but I fail to see how that works.

And that may also be circumvented by using the IP on itself, since AG Home is never asked.

P.S.: There is a "near-native" approach in Unbound's blocklists, but it uses the wildcard domains only. You do not even have to know the URL. The blocklist type has to be set to  "[hagezi] DoH/VPN/TOR/Proxy Bypass", see https://github.com/opnsense/core/issues/8224 - however, it is not the RPZ type list that is being used, just the wildcard domains.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 04:28:38 PM #7
The list is available in different formats. The one for unbound looks like this:

Code Select
cloudflare-dns.com CNAME .
*.cloudflare-dns.com CNAME .
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 04:36:45 PM #8
Quote from: meyergru on Today at 04:09:48 PMAnd that may also be circumvented by using the IP on itself, since AG Home is never asked.

My thoughts also. When I attempted to block DoH, I went looking for an IP list rather than a domain blocklist, assuming at least some clients will attempt to reach a DoH server directly without first resolving a hostname.
Today at 04:38:10 PM #9
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 04:47:13 PM #10 Last Edit: Today at 04:49:14 PM by meyergru
Not a single IPv6 in that list (as the comment already suggests) - but worse, the IPv4 ones used by Mozilla are not in that list, either:

Code Select
Name:   mozilla.cloudflare-dns.com
Address: 172.64.41.4
Name:   mozilla.cloudflare-dns.com
Address: 162.159.61.4
Name:   mozilla.cloudflare-dns.com
Address: 2a06:98c1:52::4
Name:   mozilla.cloudflare-dns.com
Address: 2803:f800:53::4


The RPZ-type lists could be used in Unbound, but there is no automation in OpnSense.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions