Is public-dns.info still actively updated? Any alternative?

[Mpegger]

To anyone in the know, is public-dns.info still actively updated? Thier last changelog entry is from 2020, and on the main front page the recent server last checked times all show 2 years ago. Thier Contact link also forwards to a different site.

If they aren't active anymore, is there another such actively updated public DNS server list that I can use in Opnsense as an alias for blocking purposes?

[meyergru]

You could just port-forward port 53 to your own DNS instance to block any other DNS server instead of relying on incomplete lists of any kind.

[Mpegger]

Already have 53 and 853 blocked, and 53 forwarded. I'm more concerned about DNS over HTTP and supposedly that site also tracked DoH sites, and thier list was updated daily. Keyword there seeming to be "was". Even looking at the country listings shows everything lat being checked 2 or more years ago.

I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?

[Patrick M. Hausen]

I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?

https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#bypass

HTH,
Patrick

[meyergru]

Maybe I am just too dumb, but how can one use that with OpnSense to block DoH servers?

I know I can use hostname-based lists with the "URL Table (IPs)" alias type (which sound counter-intuitive), however, this obviously does not work with lists that contain, like *.domain.xyz.

Since not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.

Using the wildcard hostname lists in an Unbound DNS blocklist seems unintuitive, because one could use the hard-coded IP to circumvent it and it would also block other services that might be within the affected domains.

I think what you really want here is a list of IPs to block for port 443?

[Patrick M. Hausen]

Since not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.

Hagezi's list I linked to contains e.g. "cloudflare-dns.com^" which at least in AdGuard Home means "cloudflare-dns.com" and any subdomain thereof. So mozilla.cloudflare-dns.com is covered.

[meyergru]

O.K., so you need AG Home on top. The column "Should be used for" for the lists suggests Unbound and OpnSense, but I fail to see how that works.

And that may also be circumvented by using the IP on itself, since AG Home is never asked.

P.S.: There is a "near-native" approach in Unbound's blocklists, but it uses the wildcard domains only. You do not even have to know the URL. The blocklist type has to be set to  "[hagezi] DoH/VPN/TOR/Proxy Bypass", see https://github.com/opnsense/core/issues/8224 - however, it is not the RPZ type list that is being used, just the wildcard domains.

[Patrick M. Hausen]

The list is available in different formats. The one for unbound looks like this:

Code Select Expand

cloudflare-dns.com CNAME .
*.cloudflare-dns.com CNAME .


[keeka]

And that may also be circumvented by using the IP on itself, since AG Home is never asked.

My thoughts also. When I attempted to block DoH, I went looking for an IP list rather than a domain blocklist, assuming at least some clients will attempt to reach a DoH server directly without first resolving a hostname.

[Patrick M. Hausen]

I went looking for an IP list rather than a domain blocklist

https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#bypass_ips

[meyergru]

Not a single IPv6 in that list (as the comment already suggests) - but worse, the IPv4 ones used by Mozilla are not in that list, either:

Code Select Expand

Name:   mozilla.cloudflare-dns.com
Address: 172.64.41.4
Name:   mozilla.cloudflare-dns.com
Address: 162.159.61.4
Name:   mozilla.cloudflare-dns.com
Address: 2a06:98c1:52::4
Name:   mozilla.cloudflare-dns.com
Address: 2803:f800:53::4


The RPZ-type lists could be used in Unbound, but there is no automation in OpnSense.

[meyergru]

So, now I got a current list: https://github.com/dibdot/DoH-IP-blocklists

You can use it like so to block DoH requests going outside:

1. Create two "URL table in JSON format (IP)" type aliases with a refresh time of ~ one day and ".[]" as the JSON path expression:

   DoH_IPv4 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.json"
   DoH_IPv6 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.json"

plus a "Ports" type alias - because some DoH services are offered on alternate ports as well:

   DoH_Ports with content "53 80 443 453 853 8053".

2. Create one inbound block floating rule for IPv4 on your LAN interfaces using DoH_IPv4 and one for IPv6 using DoH_IPv6, both with the target port alias DoH_Ports and for TCP/UDP. These rules should apply to whatever interface(s) you want to block DoH on.

You can check effectiveness by using DoH in your browser, which should fail after a timeout.

[Kets_One]

This is indeed a maintained source of DoH servers i use as well.
You also could add this rule to apply to TCP traffic on these ports only, since DoH uses TCP.

[meyergru]

I would use TCP and UDP because of HTTP/3 (QUIC). The list includes IPv6 and also lists mozilla.cloudflare-dns.com.

[Patrick M. Hausen]

What would be wrong with blocking these IP addresses entirely? Surely no provider of DoT/DoH would be running other vital services on the same servers? Would they? :-)