[Bender]

If I do not disable it then I can not block nefarious domains for all devices on my network and I can not monitor what devices are doing DNS lookups.

I do not agree that it is good for privacy. Maybe one day if ESNI is implemented everywhere then there may be some truth in the idea, but that also assumes that we are not just moving the resolver from the local ISP to the big centralized platforms like Cloudflare or Google. Cloudflare and Google are by far the biggest and juiciest targets for state sponsored monitoring, much more than each individual ISP's DNS. As I have no control over their data retention and usage policies I just run my own DNS that talks directly to the root DNS servers and pre-resolves/caches all the domains name-servers that I talk to regularly. At best my tiny ISP would see my batch queries that run on a schedule. If some day my tiny ISP became nefarious I would put them out of business and hope that whomever acquires their infrastructure may be better behaived.

[andreareina]

How does an application-specific configuration in firefox do anything about other devices on your network?

[josephcsible]

I think "disable DoH" there means "block all DoH servers at the router", not "configure Firefox to not try to use DoH".

[Bender]

Yes, I disable it using the suggested method of returning NXDOMAIN for "use-application-dns.net". I do also disable it in applications such as the browser to avoid the log entries.

    grep appli /etc/unbound/unbound.conf 
     local-zone: "use-application-dns.net." always_nxdomain

And then I have about 80 IP's that I blackhole. People often counter that with, "but DoH can run on any HTTPS endpoint and you can't block CDN's", and whilst this is true I have never run across a CDN performing front-ending DoH and I am the type of person that will block a CDN. I can route HTTPS for specific applications through my own VPN mesh if it came to that and use Squid SSL Bump MiTM proxies to sanitize URL's which I have done in the past. It would just be a couple ACL's in Squid to block DoH end-points. The only domains I can not MiTM are those still using public key pinning such as Paypal which I will never use, eff.org, and a few Google sub-domains. There are probably a few others I have not run across on my Squid proxies.

As a side note, I think PiHole should consider adding a feature for Squid MiTM proxy mode so that more people can do this, with options like peeling off specific LAN clients to use the proxy or force everything through it.

[wkat4242]

Ahh I saw your other comment. Yes this makes sense. Most of them would use known domains.

I don't think pihole will be able to MITM though at decent speeds, if it's actually running on a raspberry pi.

[wkat4242]

Blocking DoH at the router is almost impossible because it looks exactly the same as other HTTPS traffic.

The only option is to do a man in the middle like some business firewalls (eg zscaler) do.

I don't like DoH much either because apps can use it to bypass my local pihole. But blocking it is hard when an app hardcodes its own DoH server.

DoH is really a solution for a US problem that we in Europe don't have. Here it's illegal for ISPs to use deep packet inspection to datamine their customers.

[Bender]

Blocking DoH at the router is almost impossible because it looks exactly the same as other HTTPS traffic.

I covered that in the comment next to this one.

[thesnide]

One can still use a local dnsmasq and https_dns_proxy to leverage pure DNS on ones LAN but have the ISP only see DoH