Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature request] Block DoH #1614

Closed
lordraiden opened this issue Apr 23, 2020 · 9 comments
Closed

[Feature request] Block DoH #1614

lordraiden opened this issue Apr 23, 2020 · 9 comments
Labels

Comments

@lordraiden
Copy link

lordraiden commented Apr 23, 2020

Although I guess this could be achieved with DNS rewrites, it could be nice to have and out of the box checkbox to implement this

As is written here https://github.com/bambenek/block-doh

I guess implementing all this DNS rewrites woudl do the trick
https://github.com/bambenek/block-doh/blob/master/db.doh-redirect

dns.google    CNAME   AdGuardDNS_Server
cloudflare-dns.com    CNAME   AdGuardDNS_Server
dns9.quad9.net    CNAME   AdGuardDNS_Server
dns10.quad9.net    CNAME   AdGuardDNS_Server
doh.cleanbrowsing.org    CNAME   AdGuardDNS_Server
dns.dnsoverhttps.net    CNAME   AdGuardDNS_Server
doh.crypto.sx    CNAME   AdGuardDNS_Server
doh.powerdns.org    CNAME   AdGuardDNS_Server
doh-jp.blahdns.com    CNAME   AdGuardDNS_Server
dns.dns-over-https.com    CNAME   AdGuardDNS_Server
doh.securedns.eu    CNAME   AdGuardDNS_Server
dns.rubyfish.cn    CNAME   AdGuardDNS_Server
doh.dnswarden.com    CNAME   AdGuardDNS_Server
doh.captnemo.in    CNAME   AdGuardDNS_Server
doh.tiar.app    CNAME   AdGuardDNS_Server

Why would I want to block DoH?
https://github.com/bambenek/block-doh#why-would-i-want-to-block-doh

@ameshkov
Copy link
Member

Redirecting DOH servers to AdGuard makes no sense because our server has a different certificate.

What you want to do is simply to add this list to your DNS blocklists in AdGuard Home:
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt

@lordraiden
Copy link
Author

lordraiden commented Apr 24, 2020

Redirecting DOH servers to AdGuard makes no sense because our server has a different certificate.

What you want to do is simply to add this list to your DNS blocklists in AdGuard Home:
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt

Ok, I understand, anyway you could make this list available, officially maintain it and facilitate its deploymen with just a checkbox.

I think is a pretty important issue so everyone should be able to easily block a tech that makes adguard home totally useless becase it can bypass it.

@Aikatsui
Copy link
Contributor

Block Bypass Methods

#1446 (comment)

@ameshkov
Copy link
Member

Ok, I understand, anyway you could make this list available, officially maintain it and facilitate its deploymen with just a checkbox.

We could add it to the list of available filter lists: #1325

We would like to avoid maintaining it by ourselves, though.

@Aikatsui
Copy link
Contributor

We could add it to the list of available filter lists: #1325
We would like to avoid maintaining it by ourselves, though.

That's only some. If add then AG needs to maintain it.

@lordraiden
Copy link
Author

@ameshkov I think is a pretty easy list to maintain, could be even updated just with the user feedback.
The list of bambenek is fine but doesn't look like is updated, and I think this is an important feature since it can bypass Adguard Home security

@ameshkov
Copy link
Member

and I think this is an important feature since it can bypass Adguard Home security

I just don't think this can be a viable solution. The only way to truly control the network is proxy-level filtering anyway.

@lordraiden
Copy link
Author

lordraiden commented May 7, 2020

and I think this is an important feature since it can bypass Adguard Home security

I just don't think this can be a viable solution. The only way to truly control the network is proxy-level filtering anyway.

@ameshkov

Is better than nothing and it can be implemented in 5 mins

For firefox "use-application-dns.net"

https://isc.sans.edu/forums/diary/Blocking+Firefox+DoH+with+Bind/25316

https://www.reddit.com/r/pfBlockerNG/comments/gf0jnp/dnsbl_safesearch_firefox_doh_blocking_how_does_it/

Please don't close it and reconsider this

@ameshkov
Copy link
Member

ameshkov commented May 7, 2020

For firefox "use-application-dns.net"

We do handle it as Firefox suggests, there's no need in an additional filter list for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants