DoH VS TheGreatWall

Even those who weren't interested in self-hosting might spend a couple of minutes hosting their own DNS proxy since it's much more flexible and don't require root or dedicated port (at least with DoH).

To inject a little paranoia, DoH spec and implementation don't actually require the providers to only use /dns-query, it's possible (and very simple) to create an innocuous-looking website with /supersecretdns serving DoH, or directly on the homepage itself (the request for DoH vs regular webpage has different header), but if your kids are already that proficient, no way to stop them aside from plugging off the router.

Get a PHP hosting (dime a dozen these days), and proxying on PHP is also seamless, pretty much any website can have a secret URL that serves DoH.

https://github.com/NotMikeDEV/DoH/blob/master/dns.php handles both POST & GET. Yours only work with the POST, used by Chrome & Firefox, but not AdGuard.

If you are paranoid about a particular DNS server knowing your requests (but not paranoid enough to just use Tor entirely), the alternative will be just running a recursive resolver where you're running that PHP file. This exposes your server IP to the nameserver, but that's it, no extra third parties are involved. Or take it to the next level by running Tor there and forwarding plain DNS requests through it.

DoH can be somewhat protected with a secret path, you can even create one for free on Cloudflare Worker or any PHP hosting, but only Windows 11, iOS, macOS, and browsers support it natively. DoT is supported by Android natively but hiding the custom domain is more complex (you'll need wildcard cert, which requires manual record update with LetsEncrypt every 90 days), and if someone snoops on your traffic since they can see the domain for the DoT.

That relies on a list of known DoH providers. Private DoH server won't be in the list, which can be very easily made on any PHP hosting or even just a Cloudflare Worker.

Here's lists: https://github.com/Sekhan/TheGreatWall

I run Pfsense and am able to block most common DoH services. I’m sure you will be able to configure similar options on opnsense. The best way to do this is a DNS block through AGH and an IP block with opnsense. Firefox provides what domains to block to disable their DoH, https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https. You can also add these two lists to block most other common DoH services, https://github.com/oneoffdallas/dohservers, https://github.com/Sekhan/TheGreatWall. These lists will work with AGH for DNS blocking and for IP blocking aliases. If you have any Apple devices on your network you can use these domains to block private relay, https://raw.githubusercontent.com/Rogacz/private-relay/main/pr2.txt. I recommend you add these private relay domains as a custom entry in AGH to return NXDOMAIN so that the device shows that private relay is unavailable versus using a NULL response where it will say it’s available when it really isn’t. With these lists added to DNS blocklists as well as IP blocklists I have seen almost no DoH services getting through. The only service that I’ve experienced getting through the rules so far is Next DNS since it uses different IPs depending on what is fastest for your location, making it harder to block. I found a way to discover the IPs for their servers near you and will edit the post if I find the instructions again. Also make sure to completely block port 853 to block DoT. Lastly using these instructions from Pfsense, you can redirect or block all DNS queries that aren’t destined for your AGH instance. The instructions should be transferable to opnsense.

You can also have the pihole block these DoH servers, using this: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt but for applications that have a list DoH IP's hardwired into them, then pihole blocking won't catch those because they connect without DNS lookups. You have to block them at your firewall.

Original: https://github.com/Sekhan/TheGreatWall

Another test is android also offers Private DNS under advanced settings if set to automatic it will send requests to google DoH, turn this off and see if that changes anything. You could also add the The Great Wall DoH pihole blocklist to see if that helps too: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt

Hopefully this helps: https://github.com/Sekhan/TheGreatWall