Comment by elashri
2 days ago
I do force all plain DNS on port 53 to my local dns (Adguard home + unbound on a gl-inet router). And I block common DoH addresses. There are many lists on Github. I collect them using github action to have one big list of their IP and addresses and block them.
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
Would you be willing to share the list sources you use?
I don’t know about their list but I would start with https://github.com/StevenBlack/hosts
And perhaps automate pushing to a gist or repository?
Seconded
> And I block common DoH addresses.
You can also force the browser to behave in "corporate" mode, where DNS requests are analyzed by the corporation (you in this case) to determine which domains can and which cannot be accessed by employees (you and your family in this case).
Here for Firefox:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
"This article describes DNS over HTTPS and how to enable, edit settings, or disable this feature."
Notice the "or disable this feature".
You change the "trr" value (trusted recursive resolver) and DoH is not supposed to happen anymore.
Setting the browser to not use DoH and blocking known DoH servers is great.
What I wonder is if can then easily configure my DNS resolver (I run unbound) to itself use DoH: I don't have anything against DoH. What I have something against is not being able to blocklist based on domain names.
I don't know about GP's motivations in doing the blocking and redirections, but if they're anything like mine, Firefox is not one of them. The main issue is random "IoT" devices, think smart TVs and the like, phoning home for a fresh batch of ads and whatnot.