DNS, DoH, DoT, DoQ, DNSCrypt, DNSSEC - Privacy and Filtering

[OPNenthu]

I think this is as good a thread as any to request a peer review of a DNS rule matrix and maybe some others will get something from it, too.

I made some updates to try and take DoQ (DNS-over-QUIC) and DoH3 (DNS-over-HTTP/3) into account, but this might have some holes in it that I'd be grateful to get feedback on.  Blocking these protocols and all their known/common ports (at a minimum) is becoming tedious.

The goals:

• Redirect plain DNS (Do53) to OPNsense on a loopback device
• Block plain DNS escapes and also DoT (tcp/853) outbound
• Block DoQ to standard UDP ports (853, 784) outbound
• Block DoH (tcp/443) and DoH3 (udp/443) to public DNS IP lists ...but try to minimize breakage of HTTP/3 and QUIC for general web traffic!
• Cover a few lesser known but still "standard" or semi-standard ports
• Selectively allow some web clients to Quad9 for all encrypted protocols including their new DoH3/DoQ.  These are mainly Androids with "private DNS" turned on and have no plain DNS fallback for when at home.

For the resolver IP block lists ("NETS_PUBLIC_DNS") I use these:

• https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.txt
• https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.txt
• https://public-dns.info/nameservers.txt
• https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt
• https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/ipv6list.txt
• https://raw.githubusercontent.com/jameshas/Public-DoH-Lists/refs/heads/main/lists/doh_ips_plain.txt

*There is an embedded alias within this one for adding negated overrides (!host) in case an important site breaks.

For DNS-based block lists in Unbound I use:

• [hagezi] DoH/VPN/TOR/Proxy Bypass (built-in)
• [hagezi] Dynamic DNS blocking (built-in)
• https://dbl.ipfire.org/lists/doh/domains.txt

*Ditto, Unbound supports allowlist overrides to fix the occasional break.

Rules on local interface group:
You cannot view this attachment.

DNAT (using auto "Pass" rule):
You cannot view this attachment.

Ports alias:
You cannot view this attachment.


Are there cracks here for things to slip through, aside from 1) remote services on non-standard ports, and 2) missed resolver IPs in block lists?

[nero355]

but try to minimize breakage of HTTP/3 and QUIC for general web traffic!

Why ?!

The whole reason QUIC exists is so that it can be used for advertising since it bypasses your DNS based adblocking !!

If you can kill it : JUST DO IT! :)
_{Not like Nike LOL!}