Menu
What's new
By:
Filters Better Search

Force SafeSearch in DuckDuckGo

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

macster2075 said:
So I would have to know which IP address are using outbound doh connection on port 443?
Based on the answers I got previously on this post, I thought doh would bypass all filtering at the router level, no matter what.. that's the impression I got from it.
But you're saying there's a way block that?
Click to expand...
The router is still the gatekeeper of outbound/inbound connections. And DNSMasq (or pihole) still controls any unencrypted initial query that occur on port 53 (if dnsfilter is forcing traffic).
 
SomeWhereOverTheRainBow said:
The router is still the gatekeeper of outbound/inbound connections. And DNSMasq (or pihole) still controls any unencrypted initial query that occur on port 53 (if dnsfilter is forcing traffic).
Click to expand...
I have DNSfilter setup as Router and I have Cloudfare as DNS in WAN and it works.. adult websites are blocked and SafeSearch is working as it should...but as soon as I enable doh in Firefox, all that filtering goes out the window, which I guess it's the intended purpose of doh...just wanted to see if there's a way around that.
 
macster2075 said:
I have DNSfilter setup as Router and I have Cloudfare as DNS in WAN and it works.. adult websites are blocked and SafeSearch is working as it should...but as soon as I enable doh in Firefox, all that filtering goes out the window, which I guess it's the intended purpose of doh...just wanted to see if there's a way around that.
Click to expand...
Use the no bypass list I posted above in your blocker. Give that a try.
 
SomeWhereOverTheRainBow said:
Use the no bypass list I posted above in your blocker. Give that a try.
Click to expand...
Do I add that list here?
1631451052649.png
 
I tried to access via ssh
/jffs/configs/hosts.add

but I get "not found".
 
I didn't know what Diversion was until today. I guess Im trying to understand the difference between blocking urls via the router vs Pihole. Or why doh is able to bypass the router's dns server, but not the Pihole dns.
 
macster2075 said:
So I've added just one website as a test to the pihole block list. It blocks access to the website, but not when doh is enabled in the browser.
Click to expand...
The idea is that when using DoH, the browser needs to make an initial normal DNS request for the DoH resolver URL domain. With Firefox, the default DoH service uses the domain mozilla.cloudflare-dns.com. So you would set PiHole to block that domain name (which is included in Somewhere's block list) so that Firefox cannot negotiate the DoH connection and falls back to regular DNS, which can be manipulated.
 
dave14305 said:
The idea is that when using DoH, the browser needs to make an initial normal DNS request for the DoH resolver URL domain. With Firefox, the default DoH service uses the domain mozilla.cloudflare-dns.com. So you would set PiHole to block that domain name (which is included in Somewhere's block list) so that Firefox cannot negotiate the DoH connection and falls back to regular DNS, which can be manipulated.
Click to expand...
Oh I see.. I'm still trying to find how I can add those 700 domains to pihole.. so far I've found that I also need the ip address and if that's the case, that's gonna take a long time. There has to be an easier way.
 
dave14305 said:
The idea is that when using DoH, the browser needs to make an initial normal DNS request for the DoH resolver URL domain. With Firefox, the default DoH service uses the domain mozilla.cloudflare-dns.com. So you would set PiHole to block that domain name (which is included in Somewhere's block list) so that Firefox cannot negotiate the DoH connection and falls back to regular DNS, which can be manipulated.
Click to expand...
Thank you for your much more elegant explanation.
 
SomeWhereOverTheRainBow said:
It will get updated on your end whenever pihole detects that the file has been updated on the upstream. Pihole takes care of everything else.
Click to expand...
Well, we'll see how it goes. I know it's a cat and mouse thing... and there's always going to be a loophole for everything...kids nowadays are way too smart or have smart friends hehe.
All I can do is try lol.
 
One more quick question though.. so even if I configure pihole with cloudfare for DNS over HTTPS.. that still doesn't fix my issue right?
Meaning, Firefox will still be able to bypass Pihole and will I still need to add that list you provided?
 
I notice if I add facebook.com it blocks it, but even if I add one of those domains from the list individually it won't block it...it completely ignores it.
This is without using Firefox..Im using Edge with no doh.
 
So It seems adding them individually using wildcard is blocking the domains. Is there a way to add them another way since it looks like adding the link has no impact.
 
You must log in or register to reply here.

Similar threads

P
Updating dnsmasq.conf.add does nothing
Replies
6
Views
806
loki6000
L
R
DNS filtering when using cloudflare DNS?
Replies
4
Views
382
dave14305
dave14305
alan6854321
Missing entries in syslog?
Replies
3
Views
297
ColinTaylor
C
macster2075
Solved Need help Enforcing SafeSearch on duckduckgo.com
2 3
Replies
40
Views
9K
macster2075
macster2075
J
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
Replies
2
Views
611
jkbach
J
Similar threads
Thread starter Title Forum Replies Date
C How to set upstream DNS but force clients to use the router for DNS? Asuswrt-Merlin 2
T AX88 + 4*XT8 "force" 80mhz on XT8 5GHz? Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 733 (members: 13, guests: 720)
Top