TheGreatWall
piholemanual
Our great sponsors
TheGreatWall | piholemanual | |
---|---|---|
11 | 10 | |
103 | 105 | |
- | - | |
0.0 | 10.0 | |
almost 2 years ago | 7 days ago | |
Shell | ||
MIT License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
TheGreatWall
-
Restrict DNS resolution to pihole only
Here's lists: https://github.com/Sekhan/TheGreatWall
-
AdGuard Home and dealing with DoH
I run Pfsense and am able to block most common DoH services. I’m sure you will be able to configure similar options on opnsense. The best way to do this is a DNS block through AGH and an IP block with opnsense. Firefox provides what domains to block to disable their DoH, https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https. You can also add these two lists to block most other common DoH services, https://github.com/oneoffdallas/dohservers, https://github.com/Sekhan/TheGreatWall. These lists will work with AGH for DNS blocking and for IP blocking aliases. If you have any Apple devices on your network you can use these domains to block private relay, https://raw.githubusercontent.com/Rogacz/private-relay/main/pr2.txt. I recommend you add these private relay domains as a custom entry in AGH to return NXDOMAIN so that the device shows that private relay is unavailable versus using a NULL response where it will say it’s available when it really isn’t. With these lists added to DNS blocklists as well as IP blocklists I have seen almost no DoH services getting through. The only service that I’ve experienced getting through the rules so far is Next DNS since it uses different IPs depending on what is fastest for your location, making it harder to block. I found a way to discover the IPs for their servers near you and will edit the post if I find the instructions again. Also make sure to completely block port 853 to block DoT. Lastly using these instructions from Pfsense, you can redirect or block all DNS queries that aren’t destined for your AGH instance. The instructions should be transferable to opnsense.
-
Device has not a single query?
You can also have the pihole block these DoH servers, using this: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt but for applications that have a list DoH IP's hardwired into them, then pihole blocking won't catch those because they connect without DNS lookups. You have to block them at your firewall.
- PSA - Netflix on iOS seems to be contacting 8.8.8.8 (Google DNS) a lot, possibly to circumvent blocking
- Blocklist for DNS over HTTPS?
- How long until Google [and others] use https://8.8.8.8 internally, and hence bypass Pi-Hole?
- Any guide to catching and redirecting DoH traffic?
-
Adguar home question
Original: https://github.com/Sekhan/TheGreatWall
-
Android defaults to 8.8.8.8 as secondary DNS with Pi-hole as DHCP server
Another test is android also offers Private DNS under advanced settings if set to automatic it will send requests to google DoH, turn this off and see if that changes anything. You could also add the The Great Wall DoH pihole blocklist to see if that helps too: https://github.com/Sekhan/TheGreatWall/blob/master/TheGreatWall.txt
-
Blocking DNS over HTTPS Suggestions
Hopefully this helps: https://github.com/Sekhan/TheGreatWall
piholemanual
-
Good Up-To-Date DoH (DNS over HTTPS) Provider Blocklists?
read this document. It describes how to block (o)DoH on a firewall. The IP lists are generated daily, as is the RPZ (response policy zone) file. A pihole specific blocklist isn't available, but the document contains the instructions to generate one yourself from the database.
-
Smart-TV Blocklist for Pi-Hole
> the most ill thought out "privacy" feature
Whose privacy? DoH helps to protect billions in ad revenue for the ad network that funds Chrome, Firefox, Safari and web standards. A better web will need a different revenue model.
In the meantime, here's a maintained guide to blocking DoH with pfsense, https://github.com/jpgpi250/piholemanual/blob/master/doc/Blo...
- Blocklist for DNS over HTTPS?
-
The definitive list for blocking and handling bypassing attempts
This list is just one of the available lists on github (and some other places), unfotunatelly, it isn't complete. I've been consolidating the lists I could find. Two options: - For those who have a decent firewall, capable of adding IP lists from url, they can use the IPv4 and IPv6 lists, daily generated, on GitHub.
- Is it possible to block dns over https at the router level? I don't want any devices/apps circumventing my pihole.
- How long until Google [and others] use https://8.8.8.8 internally, and hence bypass Pi-Hole?
-
Unbound DNS Blacklist not working?
Otherwise you can create a fw alias for known DOHipv4/ipv6 enpoints and block them with a list like https://github.com/jpgpi250/piholemanual/blob/master/DOHipv4.txt and block TCP on port 853 to catch default DoT traffic and force everyone to use the local resolver.
-
How to block DoH and redirect DNS to a PiHole (on Mikrotik)
The bambenek list is almost two years old. There are a lot of DOH lists available, some even update almost daily. I've been working continuously on blocking DOH on my network, and made a list of IPv4 and IPv6 addresses available on github, an description on how to use these lists on pfsense can be found here, but I'm sure the lists can be used on other firewalls. The lists only contain the IP addresses of resolvable DNS entries, If an entry from the source doesn't resolve, the entry is ignored. You can find the list of lists in the pdf document. Be a ware that using a dns entry to block DOH may not work. We all know that devices, such as chromecast, have 8.8.8.8 hard coded, smart IOT devices may have the IP of a well known (sure that it will never go disappear, such as google or cloudflare) configured. Blocking DNS entries that point to these DOH servers will never have effect. Also be aware that blocking some entries may considerably slow down your browser experience, ref the section on exceptions in the pdf.
-
Re-directing all DNS traffic through PiHole on UDM/UDMP: my working solution
For DoH, you're playing a game of cat and mouse. Create two address groups with all known DoH servers - one for IPv4 and another for IPv6. There are some pages out there that list all known addresses, such as this github repo. Then, setup a rule to block those IP addresses.
What are some alternatives?
blocklists - Domain-ONLY Filter Lists (for use with DNS / Domain blocking tools)
py-hole - A Small Alternative to pi-hole, in python
Inversion-DNSBL-Blocklists - Malicious URLs identified by scanning various public URL sources using the Google Safe Browsing API (over 6 billion URLs scanned daily)
TheGreatWall - Prevent program and malware to bypass DNS filter by using DoH
pihole-phishtank-list - A blocklist for Pihole from PhishTank
Pi-hole - A black hole for Internet advertisements
DoH
1Hosts - World's most advanced DNS filter-/blocklists!
doh-cf-workers - DNS-over-HTTPS proxy on Cloudflare Workers
PersonalBlockListsPAllebone - blocklist
AdGuardHome - Network-wide ads & trackers blocking DNS server