TheGreatWall VS dohservers

Here's lists: https://github.com/Sekhan/TheGreatWall

I run Pfsense and am able to block most common DoH services. I’m sure you will be able to configure similar options on opnsense. The best way to do this is a DNS block through AGH and an IP block with opnsense. Firefox provides what domains to block to disable their DoH, https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https. You can also add these two lists to block most other common DoH services, https://github.com/oneoffdallas/dohservers, https://github.com/Sekhan/TheGreatWall. These lists will work with AGH for DNS blocking and for IP blocking aliases. If you have any Apple devices on your network you can use these domains to block private relay, https://raw.githubusercontent.com/Rogacz/private-relay/main/pr2.txt. I recommend you add these private relay domains as a custom entry in AGH to return NXDOMAIN so that the device shows that private relay is unavailable versus using a NULL response where it will say it’s available when it really isn’t. With these lists added to DNS blocklists as well as IP blocklists I have seen almost no DoH services getting through. The only service that I’ve experienced getting through the rules so far is Next DNS since it uses different IPs depending on what is fastest for your location, making it harder to block. I found a way to discover the IPs for their servers near you and will edit the post if I find the instructions again. Also make sure to completely block port 853 to block DoT. Lastly using these instructions from Pfsense, you can redirect or block all DNS queries that aren’t destined for your AGH instance. The instructions should be transferable to opnsense.

You can also have the pihole block these DoH servers, using this: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt but for applications that have a list DoH IP's hardwired into them, then pihole blocking won't catch those because they connect without DNS lookups. You have to block them at your firewall.

Original: https://github.com/Sekhan/TheGreatWall

Another test is android also offers Private DNS under advanced settings if set to automatic it will send requests to google DoH, turn this off and see if that changes anything. You could also add the The Great Wall DoH pihole blocklist to see if that helps too: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt

Hopefully this helps: https://github.com/Sekhan/TheGreatWall

shouldn't be that hard, just load one of these... https://github.com/Sekhan/TheGreatWall https://github.com/oneoffdallas/dohservers

No reason to put private IPs in public DNS. Use split DNS and block port 853 and use this list for DoH.

There is some meager effort like this, but it's seriously trivial for one to create their own DoH proxy, or heck, just create their own NextDNS config. So even if you block port 853 (used by DoT & DoQ) and port 53 (unencrypted DNS), DoH traffic is simply unstoppable, yes there is traffic analysis, but with DoH3 it would be impossible to detect an innocuous-looking website serving regular traffic has a hidden DoH endpoint.

I run Pfsense and am able to block most common DoH services. I’m sure you will be able to configure similar options on opnsense. The best way to do this is a DNS block through AGH and an IP block with opnsense. Firefox provides what domains to block to disable their DoH, https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https. You can also add these two lists to block most other common DoH services, https://github.com/oneoffdallas/dohservers, https://github.com/Sekhan/TheGreatWall. These lists will work with AGH for DNS blocking and for IP blocking aliases. If you have any Apple devices on your network you can use these domains to block private relay, https://raw.githubusercontent.com/Rogacz/private-relay/main/pr2.txt. I recommend you add these private relay domains as a custom entry in AGH to return NXDOMAIN so that the device shows that private relay is unavailable versus using a NULL response where it will say it’s available when it really isn’t. With these lists added to DNS blocklists as well as IP blocklists I have seen almost no DoH services getting through. The only service that I’ve experienced getting through the rules so far is Next DNS since it uses different IPs depending on what is fastest for your location, making it harder to block. I found a way to discover the IPs for their servers near you and will edit the post if I find the instructions again. Also make sure to completely block port 853 to block DoT. Lastly using these instructions from Pfsense, you can redirect or block all DNS queries that aren’t destined for your AGH instance. The instructions should be transferable to opnsense.

I’ve also been using this to block doh domains: https://github.com/travisboss/TheGreatWall - and in conjunction, at router level, I block their IP endpoints: https://github.com/oneoffdallas/dohservers

DoH serves is another story of course. You can at least check https://github.com/oneoffdallas/dohservers/ It can be imported directly into Pi-Hole

After reading through this and looking at some other sources I think I am going to create a URL Table of IPs that updates every X days using the list from https://github.com/oneoffdallas/dohservers/blob/master/iplist.txt . And I'll add in the few Cloudflares that it has commented out. And I'll use that alias to block outgoing 443 to those IPs. It seems pretty low maintenance and I don't have to have another package installed, which I was hoping to avoid. And I'll block all outgoing 853 as well. We'll see how it goes

Step 5: Add the DNS over HTTPS lists to your pihole (https://github.com/oneoffdallas/dohservers)

This isn't a complete approach, but you can block outgoing traffic from hitting DoH servers. https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4 https://github.com/oneoffdallas/dohservers