Menu
What's new
By:
Filters Better Search

Stopping DNS over HTTP bypassing DNSFilter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As a short addendum I tried pinging the cloudflare DoH URLs. Totally different IPs resolve for this:

Pinging chrome.cloudflare-dns.com [104.18.27.211] with 32 bytes of data:
Reply from 104.18.27.211: bytes=32 time=15ms TTL=58

Pinging mozilla.cloudflare-dns.com [104.16.249.249] with 32 bytes of data:
Reply from 104.16.249.249: bytes=32 time=11ms TTL=58
 
lianthar said:
Ok so then I also tested by manually setting my DNS server to 1.1.1.1 on my laptop network settings. The What's My DNS Server website gives me exactly the same IP for the responding DNS server as when I used the browser DoH for Cloudflare. So while I am requesting name resolution via 1.1.1.1 - it is still using one of Cloudflare's pool of DNS servers. How this is operating at Layer 3 I'm not sure - is the name resoolution response coming back from 1.1.1.1 or from 162.158.1.37?
Click to expand...
It's coming from 1.1.1.1, which can be one of many physical servers. Anycast is treating an IP address like a domain name - as an alias for a particular server or servers. The difference is that the resolution takes place on Cloudfare's routers, not on the client. The client is none the wiser, so blocking 1.1.1.1 blocks the request from ever getting to Cloudfare's routers. The request can't be resolved because it never makes it to Cloudfare.
 
SomeWhereOverTheRainBow said:
Make the router resolve the cname cloudflare-dns.com to a different null ip or simply block it with a dns based solution or block it with skynet.
Click to expand...

Yes - as per my earlier post I am using Cleanbrowsing DNS service to block all the DoH hostnames. I think NextDNS has a similar list but you could easily create your own.
 
lianthar said:
Yes - as per my earlier post I am using Cleanbrowsing DNS service to block all the DoH hostnames. I think NextDNS has a similar list but you could easily create your own.
Click to expand...
Here is the NextDNS list for blocking bypass methods (Encrypted DNS, VPNs, proxies and more)
edit:
Guess NextDNS do not include their own DoT and DoH in this list ;)
Code: 
#NextDNS DoH
dns.nextdns.io

#NextDNS DoT
dns1.nextdns.io
dns2.nextdns.io
This list can not directly be added in Diversion i think
 
Last edited:
you can add it as a domains block list to diversion. or a black list. Here is what i recommend, if you are only trying to control a certain group of devices from using these to circumvent the block list. You could easily add these to an alternate blocking list, and add the devices you want using DNSFilter to that alternate blocking list. For further instructions on how to setup an alternate blocking list with diversion, and how to add clients to it please see diversions website FAQ area. https://diversion.ch/ .@thelonelycoder has an ingenious design for allowing a separate blocklist to control a subset of devices on a given network.
 
Last edited:
I would recommend importing as a blacklist with diversion versus a blocklist simply for skynet/diversion share listing because if skynet doesn't block the associated IP addresses, then it can easily be circumvented with an IP address because diversion is only blocking the FQDN.
 
Zastoff said:
Here is the NextDNS list for blocking bypass methods (Encrypted DNS, VPNs, proxies and more)
edit:
Guess NextDNS do not include their own DoT and DoH in this list ;)
Code: 
#NextDNS DoH
dns.nextdns.io

#NextDNS DoT
dns1.nextdns.io
dns2.nextdns.io
This list can not directly be added in Diversion i think
Click to expand...

Thanks! Here's the Encrypted DNS part of it that you can use directly as a hosted blacklist in Diversion:


I've also blocked 8.8.8.8 and 1.1.1.1 (with secondary) in the UI via https://support.unlocator.com/article/190-how-to-block-google-dns-on-asus-router as I'm using 9.9.9.9 for DoT.
This stopped my Google Nest Hub from working ("check internet connection"), they're insisting on using 8.8.8.8.
Would be cool if skynet had a setting for blocking DoH and DoT.
 
Last edited:
RMerlin said:
Reverse lookup these hostnames ,and block the IPs.
Click to expand...

Diversion (hostnames) and Skynet (IPs) working together (via dedicated blocklists) could be a good solution to block encrypted DNS:

cloudflare-dns.com
dns.cloudflare.com
one.one.one.one
..

1.1.1.1
1.0.0.1
..
 
You must log in or register to reply here.

Similar threads

R
Would any of this make my browsing more secure? (WAN DNS settings)
2
Replies
20
Views
1K
aru
aru
C
YazFi: Guest Networks and DNS Director?
Replies
13
Views
1K
bennor
B
V
DNS server vs DNS-over TLS server list
Replies
3
Views
427
Tech9
Tech9
X
DNS Director - question
Replies
6
Views
611
Xboxsx4life
X
P
Solved Router DHCP and DNS not responding to changes
2
Replies
35
Views
1K
PTS
P
Similar threads
Thread starter Title Forum Replies Date
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
pdc Router DNS returning Refused Asuswrt-Merlin 2
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3
R Would any of this make my browsing more secure? (WAN DNS settings) Asuswrt-Merlin 20
A DNS/TLS IPv6. Asuswrt-Merlin 4
X DNS Director - question Asuswrt-Merlin 6
X RT-AX58U sudden DNS problem - URGENT Asuswrt-Merlin 14
P Solved Router DHCP and DNS not responding to changes Asuswrt-Merlin 35
icanfly DNS fails for local devices when there is no WAN! Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 767 (members: 13, guests: 754)
Top