|
|
|
|
|
|
by Dah00n
1858 days ago
|
|
|
>Makes me very worried about the adoption of DoH Yes, this is what made me look closer at what happens at my LAN and got me into this mess. It is a loosing battle but I try to block things like DoH and DNS IPs via blocklists[1]. Pfsense add-on pfBlockerNG does this pretty well. I then strictly only allow DNS over TLS from the DNS server out on WAN. >how many devices do you have in your network that you need a load-balanced Pi-Hole setup!? I can see it wasn't very clear in my comment but it wasn't the amount of devices that caused the problem. It only takes one or two misbehaving devices that hammers pi-hole to make it hang. Pi-hole worked wonderfully until I forced all DNS requests to be redirected to it. I then got many many requests a second from some devices (Edit: because they didn't like the NXDOMAIN reply they got). Try refusing access to Google DNS if you have some Cromecasts. As far as I can remember they really don't like this. Any Android phone with only one DNS IP set will also default to Google DNS as a secondary DNS IP... 1:
Blocking DNS servers really isn't easy. Not only do some devices use other ports but they aren't all well known. I had requests to 216.239.32.10 for example and had no idea this is yet another Google DNS IP (ns1.google.com?). |
|
|