|
|
|
|
|
|
by LinuxBender
996 days ago
|
|
|
CF explain how to do this here [1]. Have your local DNS resolvers filter the HTTPS type of DNS queries on your DNS servers. One example from Microsoft [2]. Unbound would probably need a patch though a work-around could be an iptables string filter or u32 filter for the record type. There is a DNS module [3] for iptables but it is not part of any default installations AFAIK. The second way is to return a “no error no answer” or an NXDOMAIN response to queries made to the use-application-dns.net. I personally already use the second option to block DoH and cell phones seem to automatically figure out to use port 853 for DNS-Over-TLS on my home router Unbound DNS. I also null route most of the public DoH servers. People point out that DoH can be on any CDN IP but it never has been. [1] - https://developers.cloudflare.com/ssl/edge-certificates/ech/ [2] - https://learn.microsoft.com/en-us/windows-server/networking/... [3] - https://github.com/mimuret/iptables-ext-dns |
|
|
Of course this kind of filtering is useless to stop a determined user (in a bring-your-own-device environment) because they can trivially just run their own DoH endpoint.