TheGreatWall
doh-cf-workers
Our great sponsors
TheGreatWall | doh-cf-workers | |
---|---|---|
11 | 31 | |
103 | 351 | |
- | - | |
0.0 | 5.3 | |
almost 2 years ago | 2 months ago | |
JavaScript | ||
MIT License | BSD Zero Clause License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
TheGreatWall
-
Restrict DNS resolution to pihole only
Here's lists: https://github.com/Sekhan/TheGreatWall
-
AdGuard Home and dealing with DoH
I run Pfsense and am able to block most common DoH services. I’m sure you will be able to configure similar options on opnsense. The best way to do this is a DNS block through AGH and an IP block with opnsense. Firefox provides what domains to block to disable their DoH, https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https. You can also add these two lists to block most other common DoH services, https://github.com/oneoffdallas/dohservers, https://github.com/Sekhan/TheGreatWall. These lists will work with AGH for DNS blocking and for IP blocking aliases. If you have any Apple devices on your network you can use these domains to block private relay, https://raw.githubusercontent.com/Rogacz/private-relay/main/pr2.txt. I recommend you add these private relay domains as a custom entry in AGH to return NXDOMAIN so that the device shows that private relay is unavailable versus using a NULL response where it will say it’s available when it really isn’t. With these lists added to DNS blocklists as well as IP blocklists I have seen almost no DoH services getting through. The only service that I’ve experienced getting through the rules so far is Next DNS since it uses different IPs depending on what is fastest for your location, making it harder to block. I found a way to discover the IPs for their servers near you and will edit the post if I find the instructions again. Also make sure to completely block port 853 to block DoT. Lastly using these instructions from Pfsense, you can redirect or block all DNS queries that aren’t destined for your AGH instance. The instructions should be transferable to opnsense.
-
Device has not a single query?
You can also have the pihole block these DoH servers, using this: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt but for applications that have a list DoH IP's hardwired into them, then pihole blocking won't catch those because they connect without DNS lookups. You have to block them at your firewall.
- PSA - Netflix on iOS seems to be contacting 8.8.8.8 (Google DNS) a lot, possibly to circumvent blocking
- Blocklist for DNS over HTTPS?
- How long until Google [and others] use https://8.8.8.8 internally, and hence bypass Pi-Hole?
- Any guide to catching and redirecting DoH traffic?
-
Adguar home question
Original: https://github.com/Sekhan/TheGreatWall
-
Android defaults to 8.8.8.8 as secondary DNS with Pi-hole as DHCP server
Another test is android also offers Private DNS under advanced settings if set to automatic it will send requests to google DoH, turn this off and see if that changes anything. You could also add the The Great Wall DoH pihole blocklist to see if that helps too: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt
-
Blocking DNS over HTTPS Suggestions
Hopefully this helps: https://github.com/Sekhan/TheGreatWall
doh-cf-workers
-
Cloudflare DNS stopped working totally!
For desktop browser, just change the Secure DNS/DNS over HTTPS settings to one of the servers in https://github.com/curl/curl/wiki/DNS-over-HTTPS, if they're all blocked, create your own with https://github.com/tina-hello/doh-cf-workers. On Android use Intra to load custom DoH, and on iOS use https://dns.notjakob.com/ to create the DoH profile.
-
Public DNS resolver is blocked, way to bypass?
If Cloudflare Workers aren't blocked, you can use https://github.com/tina-hello/doh-cf-workers to forward to it, though it only work with DNS over HTTPS client (most desktop browsers, Windows 11, iOS, macOS, Intra on Android and YogaDNS on older Windows)
-
Ditching Normal DNS for Enhanced Safety: Zero Trust with DNS over HTTPS/TLS
DoH is another game entirely, even if you import the known DoH domains manually, anyone including dedicated kids, can create their own DoH proxy in minutes.
-
Encrypted DNS, what's the point?
Even those who weren't interested in self-hosting might spend a couple of minutes hosting their own DNS proxy since it's much more flexible and don't require root or dedicated port (at least with DoH).
-
Stop devices from using other DNS to bypass AdGuardHome?
While you can in turn block those DoH servers (and probably block port 853 too to stop the default DoT & DoQ traffic), there are ridiculous amount of public DoH servers available, partly because of how easy it is to self-host AGH and expose the DoH endpoint to the public. Anyone can even create their own in minutes.
-
Can't change DNS settings, can ISP block it?
Check if your router support DNS over TLS (DoT) or DNS over HTTPS (DoH), that would ignore the ISP filtering, assuming the ISP doesn't just block port 853 for DoT, or filtering well-known DoH server, in which case just setup your own.
-
Android phones can't connect if I block port 853 on router to stop others bypassing NextDNS
If you don't want to set up AGH at home or at a VPS, accept that the phones need to use the NextDNS/Nebulo/Intra/AdGuard app set to your NextDNS DoH endpoint while you block other providers, though this doesn't actually stop others from using their own/generic NextDNS, or even any provider if their DoH client support bootstrapping. Also, unless it's a seriously fancy router that analyzes traffic statistics, blocking DoH is merely using public list of DoH domains, anyone can create their DoH proxy which won't be blocked. Some routers have SNI filtering which can block websites regardless of the DNS used, but then you need to provide your own blocklist.
-
Subliminal Through Tor?
That's probably SNI filtering, but try other servers from https://adguard-dns.io/kb/general/dns-providers/ and https://github.com/curl/curl/wiki/DNS-over-HTTPS/ just in case, or make your own proxy on https://github.com/tina-hello/doh-cf-workers
-
Zero Trust:Block other DNS over HTTPS/TLS
If you want to go that route, keep in mind the entire Cloudflare Workers and Cloudflare Pages subdomains (workers.dev and pages.dev) can be used as free DoH proxy. Sure you can put the nuclear option, but it would break sites that do use them.
-
Filtering bypass.. I surrender? FEATURE REQUEST INSIDE
A purely DNS-based solution is bound to be easily bypassed, it's really simple to bootstrap the IP so there's no need to even use the network/OS DNS to resolve the custom DoH domain, with hundreds of publicly known DoH and trivial deployment of DoH forwarder you're fighting a losing game.
What are some alternatives?
blocklists - Domain-ONLY Filter Lists (for use with DNS / Domain blocking tools)
dnsproxy - Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support
Inversion-DNSBL-Blocklists - Malicious URLs identified by scanning various public URL sources using the Google Safe Browsing API (over 6 billion URLs scanned daily)
dns-server-setup - Ansible playbook to easily deploy new, fully configured, DNS servers.
pihole-phishtank-list - A blocklist for Pihole from PhishTank
serverless-dns - The RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io
Pi-hole - A black hole for Internet advertisements
DoH
libcurl - A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl offers a myriad of powerful features
1Hosts - World's most advanced DNS filter-/blocklists!
Unbound - Unbound is a validating, recursive, and caching DNS resolver.