[nickburns]

Which does absolutely nothing if your device or the app in question is permitted or otherwise not prevented from making DNS-over-HTTPS (or, less commonly because of its discrete port, DNS-over-TLS) queries.

[madeofpalk]

Don't all the ad-blocking DNS providers also support DNS-over-HTTPS now as well? I use it with AdGuard Home, and I saw PiHole supports it as well.

[nickburns]

I'm referring to devices and apps that are 'hard-coded' to query specific DoH servers/providers, therefore bypassing and regardless of any user-configured DNS server/s. And because DoH operates on outbound TCP/443, the lookups are indistinguishable from any other 'web' traffic.

Even some of the most popular desktop web browsers are configured to utilize DoH by default nowadays.

The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers and NAT all outbound 53 (and 853) traffic to a desired resolver (like a local Pi-hole instance, for example).

[ignoramous]

> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...

A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.

This is something I implemented for an Android firewall app I co-develop; it works nicely enough.

[nickburns]

  A firewall (which must also host a resolver)

Is that true? Per what spec are you referring to?

[Zak]

ignoramous probably meant that in order to block access to all IP addresses that it has not recently resolved, the firewall must also host or communicate closely with a resolver. This is a tautology, not a spec.

[nickburns]

Ah, I definitely misread. Thanks!

[sriacha]

what app?

[ignoramous]

https://github.com/celzero/rethink-app