[LinuxBender]

This comes up in discussions quite a bit but in practice I have never seen that become a thing. There is technically nothing stopping a DNS provider from using random CDN nodes but unless you have found a working exception they all have well defined static IP addresses, sometimes even novelty IP's. Perhaps some day they will do this at the risk of CDN nodes getting blocked.

I block DoH/DoT quite successfully on my network, not to invade privacy but to block privacy invading sites and usage statistics that the current DoH/DoT providers gather. Thus far it has not been an issue.

I was surprised to find that cell phones automagically discover my DoT 853 listener on my firewall that is served up by Unbound. I do have a "_dns.resolver.arpa" hint record but nothing has ever queried it.

[donmcronald]

> This comes up in discussions quite a bit but in practice I have never seen that become a thing.

How would you even know it’s happening? Is it even possible to snoop on HTTPS traffic if you have a mobile device like an iPhone? Making it impossible to see is the entire point AFAIK.

[LinuxBender]

I have physical access to the devices and I can also see every device that is registered in DHCP making queries to Unbound. Unless a specific application is leaking requests to 443 I can say with certainty that they are using my DNS server. People on my network appreciate the ad blocking and I would hear about it if that stopped working.

[Edit] I should also add that I do not block VPN's. If someone wants to manually bypass my DNS they can do so with a VPN client. Perhaps some day all the browsers will start creating VPN tunnels to random CDN's on 443.

[donmcronald]

So you can tell they’re not using your DNS server, but you said:

> I block DoH/DoT quite successfully on my network

How do you block encrypted traffic that’s mixed in with normal HTTPS? I get that you can block the well known IPs, but that’s only a partial solution.