Stopping DNS over HTTP bypassing DNSFilter

[lianthar]

I am using Cleanbrowsing DNS servers (set as WAN DNS) and then using DNSFilter to Global Filter = Router. This seems to work great for filtering and stops bypassing even if a client sets their own manual DNS servers.

There seems to be one way to pretty easily get around the DNSFIlter though and that is to set the "Use Secure DNS" setting in Chrome to point to an unfiltered DNS server.

I saw the WAN setting "Prevent client auto DoH" and set to "Yes" assuming that this would block the use of DNS over HTTPS but it has not worked and the Chrome setting mentioned above seems to easily bypass DNSFilter. Is there a way to get DNSFilter to detect and redirect DNS over HTTP requests from browsers where this has been manually set?

 

[RMerlin]

That's one of the main reasons why I consider DoH to be a steaming pile of crap when it comes to screwing up network management.

Best you can do is build up a list of known DoH servers (like 1.1.1.1), and block port 443 access to all of these IPs through the firewall.

I saw the WAN setting "Prevent client auto DoH" and set to "Yes" assuming that this would block the use of DNS over HTTPS but it has not worked

That only works with implementations that respect the canary domain, such as Firefox when relying on its automatic DoH enabling.

With Chrome, it will check what DNS server you use, and only switch to DoH if those servers do support it. Which is a good compromise iMHO. However users can still manually switch to it, in which case the network administrator will have to fight with it.

 

[bbunge]

Most instructions for DoH use a URL vs. an IP address. Is it possible to blacklist those URL's? Or set up some sort of redirect?

 

[lianthar]

Best you can do is build up a list of known DoH servers (like 1.1.1.1), and block port 443 access to all of these IPs through the firewall.

Good idea - I think this may end up being the most workable soloution. Is anyone maintaining a comprehensive list of IP's for all public DNS servers? Over time it with a bit of crowdsourcing this list of IP's could be complete enough to block all but the most committed person. Then you just choose the DNS server you want to use and whitelist that one from the list.

Another thought I had is why more security/filtering companies are not building up a list of matching IP's for any domains they are blocking and using those in conjunction with DNS based filtering? Surely it wouldn't be hard to do a reverse lookup on all your filtered names and then give customers an IP based filter option totally independent of DNS.

I am kinda torn on this one. As an advocate for privacy from your ISP and Govt I see the value in encrypting DNS. However, as a parent I want the ability to see what my kids are looking at and block anything inappropriate. TBH DNSFilter was one of the killer features that I am using Merlin on my router for. At the moment my kid isn't old enough to have caught on to DoH but I am sure he will google it sooner or later....

 

[lianthar]

Found a pretty good list of all public DNS servers:

Public DNS Server List

Would be nice to have a feature that queries this list daily and then updates a firewall rule to block all access and auto-whitelists any DNS servers you have specified in DNS WAN, DNS DHCP or DNSFilter.

Maybe this could be a new feature for Skynet if Adamm is reading?

 

[RMerlin]

Most instructions for DoH use a URL vs. an IP address. Is it possible to blacklist those URL's? Or set up some sort of redirect?

Reverse lookup these hostnames ,and block the IPs.

 

[john9527]

Most instructions for DoH use a URL vs. an IP address. Is it possible to blacklist those URL's? Or set up some sort of redirect?

Create an ipset with the URLs....

 

[Zastoff]

These lists here seems to get regular updates.
Contains ipv4 & ipv6 DoH lists.
Remember to only block those Ip's on port 443 (if i read it correct. LINK )

 

[lianthar]

I gave this a try last night by importing that list into Skynet. It seems to work ok for those specific IPs but Cloudflare is much more challenging since the 1.1.1.1 and 1.0.0.1 addresses are only pointers to a very large pool of global servers. So depending on where you are located it will redirect the DNS request to a local server. I am not comfortable blocking all Cloudflare ranges since I assume that their server pool is acting as more than just DNS and I may end up blocking other sites that use CLoudflare load balancing. So back to square one for this one. Google seems easier and blocking 8.8.8.8 and 8.8.4.4 seems to stop it being used for DNS.

 

[Zastoff]

I gave this a try last night by importing that list into Skynet. It seems to work ok for those specific IPs but Cloudflare is much more challenging since the 1.1.1.1 and 1.0.0.1 addresses are only pointers to a very large pool of global servers. So depending on where you are located it will redirect the DNS request to a local server. I am not comfortable blocking all Cloudflare ranges since I assume that their server pool is acting as more than just DNS and I may end up blocking other sites that use CLoudflare load balancing. So back to square one for this one. Google seems easier and blocking 8.8.8.8 and 8.8.4.4 seems to stop it being used for DNS.

If i remember correct with 1.1.1.1 Skynet does a cloudflare cdn check and adds to allow-list. (In firewall.sh "Whitelist_CDN" function)
You can try if you use Diversion and add these to Diversion`s block list

cloudflare-dns.com # Block DoH
dns.dns-over-https.com # Block DoH
dns.dnsoverhttps.net # Block DoH
dns.google # Block DoH
dns.rubyfish.cn # Block DoH
dns10.quad9.net # Block DoH
dns9.quad9.net # Block DoH
doh-jp.blahdns.com # Block DoH
doh.captnemo.in # Block DoH
doh.cleanbrowsing.org # Block DoH
doh.crypto.sx # Block DoH
doh.dnswarden.com # Block DoH
doh.powerdns.org # Block DoH
doh.securedns.eu # Block DoH
doh.tiar.app # Block DoH
mozilla.cloudflare-dns.com # Block DoH
dns.nextdns.io # Block DoH

Hope this may help

 

[sbsnb]

I gave this a try last night by importing that list into Skynet. It seems to work ok for those specific IPs but Cloudflare is much more challenging since the 1.1.1.1 and 1.0.0.1 addresses are only pointers to a very large pool of global servers. So depending on where you are located it will redirect the DNS request to a local server.

I'm not aware of a way to cause a client to redirect a request like that at the network layer. How does that work? I'm only aware of layer 3 forwarding, but blocking rules on the client will not affect that.

 

[lianthar]

I'm not aware of a way to cause a client to redirect a request like that at the network layer. How does that work? I'm only aware of layer 3 forwarding, but blocking rules on the client will not affect that.

https://www.cloudflare.com/en-au/learning/dns/what-is-anycast-dns/

 

[lianthar]

Most instructions for DoH use a URL vs. an IP address. Is it possible to blacklist those URL's? Or set up some sort of redirect?

Yes - this works. You are correct all the browser settings for DoH reference a URL. If you block the DNS lookups for those URLs it stops the browser DoH working. I ended up blocking them using my CleanBrowsing paid service (Proxy & VPN category inclded all DoH URLs).

So I would assume this can easily be done with any DNS service if you black list the URLs for DoH. The list that Zastoff kindly provided above would be a good start and add others as needed to your service. I have not tried using Diversion as per Zastoff's suggestion since my CleanBrowsing service is blocking DoH adequately for my needs.

 

[sbsnb]

https://www.cloudflare.com/en-au/learning/dns/what-is-anycast-dns/

The suggestion was that blocking 1.1.1.1 in Skynet doesn't work because Cloudfare uses Anycast to route requests to myriad servers. Anycast is a technique to route packets destined for an IP address to any of multiple servers. It doesn't matter if there are 500 million machines with the IP address 1.1.1.1 in terms of blocking. If you block 1.1.1.1 you will be blocking all 500 million of them.

 

[RMerlin]

The suggestion was that blocking 1.1.1.1 in Skynet doesn't work because Cloudfare uses Anycast to route requests to myriad servers.

It should still work, because your router will try to access 1.1.1.1 first. The multicast routing happens behind the scene beyond that IP, and that IP is only used for DNS, nothing else.

 

[sbsnb]

It should still work, because your router will try to access 1.1.1.1 first. The multicast routing happens behind the scene beyond that IP, and that IP is only used for DNS, nothing else.

Precisely my point. The anycast happens behind Cloudfare's routers. Our router knows nothing of it.

 

[RMerlin]

Precisely my point. The anycast happens behind Cloudfare's routers. Our router knows nothing of it.

Then why wouldn`t that work?

 

[john9527]

Then why wouldn`t that work?

I think you two are in violent agreement

 

[sbsnb]

I think you two are in violent agreement

Yes. There's no way blocking 1.1.1.1 doesn't block every anycast server that answers to that address.

 

[lianthar]

I ran a few tests using: What's My DNS Server?

As bbunge noted above DoH settings in browsers use a URL not an IP address. In the case of Cloudflare the dropdown is labelled - "Cloudflare (1.1.1.1)". This is misleading though since it actually uses the URL: https://chrome.cloudflare-dns.com/dns-query or https://mozilla.cloudflare-dns.com/dns-query. In the case of Cloudflare those domain names will resolve to many different IPs depending on your location and the load on the servers. In my case it currently resolves to: 162.158.1.37 which is part of a large pool of addresses owned by Cloudflare: https://ipinfo.io/AS13335/162.158.0.0/22. I tested Googles DoH URL - https://dns.google/dns-query{?dns} That one (for me) resolves to 172.217.33.2 or next try to 172.253.204.4 so again cycling through a pool of google DNS server addreses. This is manageable in terms of blocking since all you need to do is blacklist the DoH URLs using a DNS filtering service and it will stop DoH from the browser. I have done this with Cleanbrowsing as they have all the DoH URL's included in their VPN/Proxy block category.

Ok so then I also tested by manually setting my DNS server to 1.1.1.1 on my laptop network settings. The What's My DNS Server website gives me exactly the same IP for the responding DNS server as when I used the browser DoH for Cloudflare. So while I am requesting name resolution via 1.1.1.1 - it is still using one of Cloudflare's pool of DNS servers. How this is operating at Layer 3 I'm not sure - is the name resoolution response coming back from 1.1.1.1 or from 162.158.1.37?

Your DNS Server	162.158.1.37
Owner of this server	Cloudflare, Inc.

The "What's My DNS Server" website explains this result:

"Many people configure their computer or router to use a specific DNS server that they prefer (such as Google DNS which is found at 8.8.8.8). The expectation is that the server at 8.8.8.8 provides your DNS services, but that isn't what really happens. If it did, that server would be swamped with requests. Instead, it hands your request off to another server that's part of a large group of servers that it controls. By doing this, no one server will be completely overwhelmed with requests.

The data that's reported here shows the identity of the server that actually processes your requests. You can verify that it's being run by an organization that you trust. We also check the reputation of each server that we report to see if it has been flagged by people for doing questionable things.

This also explains why if you check your DNS server multiple times using this service you'll often receive different IP addresses. This happens because each IP address represents a different server in the "group"."