Comment by madeofpalk
5 months ago
Don't all the ad-blocking DNS providers also support DNS-over-HTTPS now as well? I use it with AdGuard Home, and I saw PiHole supports it as well.
5 months ago
Don't all the ad-blocking DNS providers also support DNS-over-HTTPS now as well? I use it with AdGuard Home, and I saw PiHole supports it as well.
I'm referring to devices and apps that are 'hard-coded' to query specific DoH servers/providers, therefore bypassing and regardless of any user-configured DNS server/s. And because DoH operates on outbound TCP/443, the lookups are indistinguishable from any other 'web' traffic.
Even some of the most popular desktop web browsers are configured to utilize DoH by default nowadays.
The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers and NAT all outbound 53 (and 853) traffic to a desired resolver (like a local Pi-hole instance, for example).
> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...
A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.
This is something I implemented for an Android firewall app I co-develop; it works nicely enough.
Is that true? Per what spec are you referring to?
2 replies →
what app?
1 reply →