this post was submitted on 08 Nov 2023
226 points (97.9% liked)

Selfhosted

40347 readers
406 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Blocked that hard-coded google dns garbage.

you are viewing a single comment's thread
view the rest of the comments
[–] Silejonu@kbin.social 2 points 1 year ago (2 children)

I suspect DoT and DoH still go through, though? I mean you can always block the port 853 for DoT, but DoH is another story.

[–] jemikwa@lemmy.blahaj.zone 2 points 1 year ago* (last edited 1 year ago)

Yeah you'd need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level

[–] jubilationtcornpone@sh.itjust.works 1 points 1 year ago (2 children)

That's correct. I block DoT in my firewall and block known DoH domains in piHole. I'm sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.

Traditional DNS over UDP/53 is insecure but I'm using ProtonVPN's DNS server over VPN externally so I'm not worried about that.

[–] Silejonu@kbin.social 1 points 1 year ago

I see. I may try to do something similar but towards Unbound on my OPNSense router, if that's possible.

[–] blackstrat@lemmy.fwgx.uk 1 points 1 year ago (1 children)

How do you block the DoH servers in the pihole? Pihole is a DNS server, devices using a third party DoH server would just bypass the pihole as they're using the IP of the DoH with no DNS lookup required. No?

To block DoH I think you need to block it at the firewall level with a list of blocked IPs for the DoH servers you want to block over 443

You're probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won't be able to use DoH.