Menu
What's new
By:
Filters Better Search

Stopping DNS over HTTP bypassing DNSFilter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As a short addendum I tried pinging the cloudflare DoH URLs. Totally different IPs resolve for this:

Pinging chrome.cloudflare-dns.com [104.18.27.211] with 32 bytes of data:
Reply from 104.18.27.211: bytes=32 time=15ms TTL=58

Pinging mozilla.cloudflare-dns.com [104.16.249.249] with 32 bytes of data:
Reply from 104.16.249.249: bytes=32 time=11ms TTL=58
 
lianthar said:
Ok so then I also tested by manually setting my DNS server to 1.1.1.1 on my laptop network settings. The What's My DNS Server website gives me exactly the same IP for the responding DNS server as when I used the browser DoH for Cloudflare. So while I am requesting name resolution via 1.1.1.1 - it is still using one of Cloudflare's pool of DNS servers. How this is operating at Layer 3 I'm not sure - is the name resoolution response coming back from 1.1.1.1 or from 162.158.1.37?
Click to expand...
It's coming from 1.1.1.1, which can be one of many physical servers. Anycast is treating an IP address like a domain name - as an alias for a particular server or servers. The difference is that the resolution takes place on Cloudfare's routers, not on the client. The client is none the wiser, so blocking 1.1.1.1 blocks the request from ever getting to Cloudfare's routers. The request can't be resolved because it never makes it to Cloudfare.
 
SomeWhereOverTheRainBow said:
Make the router resolve the cname cloudflare-dns.com to a different null ip or simply block it with a dns based solution or block it with skynet.
Click to expand...

Yes - as per my earlier post I am using Cleanbrowsing DNS service to block all the DoH hostnames. I think NextDNS has a similar list but you could easily create your own.
 
lianthar said:
Yes - as per my earlier post I am using Cleanbrowsing DNS service to block all the DoH hostnames. I think NextDNS has a similar list but you could easily create your own.
Click to expand...
Here is the NextDNS list for blocking bypass methods (Encrypted DNS, VPNs, proxies and more)
edit:
Guess NextDNS do not include their own DoT and DoH in this list ;)
Code: 
#NextDNS DoH
dns.nextdns.io

#NextDNS DoT
dns1.nextdns.io
dns2.nextdns.io
This list can not directly be added in Diversion i think
 
Last edited:
you can add it as a domains block list to diversion. or a black list. Here is what i recommend, if you are only trying to control a certain group of devices from using these to circumvent the block list. You could easily add these to an alternate blocking list, and add the devices you want using DNSFilter to that alternate blocking list. For further instructions on how to setup an alternate blocking list with diversion, and how to add clients to it please see diversions website FAQ area. https://diversion.ch/ .@thelonelycoder has an ingenious design for allowing a separate blocklist to control a subset of devices on a given network.
 
Last edited:
I would recommend importing as a blacklist with diversion versus a blocklist simply for skynet/diversion share listing because if skynet doesn't block the associated IP addresses, then it can easily be circumvented with an IP address because diversion is only blocking the FQDN.
 
Zastoff said:
Here is the NextDNS list for blocking bypass methods (Encrypted DNS, VPNs, proxies and more)
edit:
Guess NextDNS do not include their own DoT and DoH in this list ;)
Code: 
#NextDNS DoH
dns.nextdns.io

#NextDNS DoT
dns1.nextdns.io
dns2.nextdns.io
This list can not directly be added in Diversion i think
Click to expand...

Thanks! Here's the Encrypted DNS part of it that you can use directly as a hosted blacklist in Diversion:


I've also blocked 8.8.8.8 and 1.1.1.1 (with secondary) in the UI via https://support.unlocator.com/article/190-how-to-block-google-dns-on-asus-router as I'm using 9.9.9.9 for DoT.
This stopped my Google Nest Hub from working ("check internet connection"), they're insisting on using 8.8.8.8.
Would be cool if skynet had a setting for blocking DoH and DoT.
 
Last edited:
RMerlin said:
Reverse lookup these hostnames ,and block the IPs.
Click to expand...

Diversion (hostnames) and Skynet (IPs) working together (via dedicated blocklists) could be a good solution to block encrypted DNS:

cloudflare-dns.com
dns.cloudflare.com
one.one.one.one
..

1.1.1.1
1.0.0.1
..
 
You must log in or register to reply here.

Similar threads

M
RT-AX86U and DNS Privacy over USB WAN
Replies
0
Views
185
metahome
M
K
DNS Director-No Redirection Question
Replies
11
Views
997
Khadanja
K
Preskitt.man
DNS Assignment - very strange things
Replies
6
Views
453
sfx2000
sfx2000
F
Solved DNS Director AX88U Pro
Replies
8
Views
834
fotingo
F
F
Experiences in Roku vs. Ad-blocking
Replies
5
Views
714
vlord
vlord
Similar threads
Thread starter Title Forum Replies Date
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
Preskitt.man DNS Issue?? AX5800 Pro Issue?? Asuswrt-Merlin 2
H DNS-rebind attack detected: farm.plista.com. etc...?? Asuswrt-Merlin 3
plapic DNS Director Asuswrt-Merlin 7
P DNS Director - Proprietary? Asuswrt-Merlin 6
r000t Hardcoded Google DNS IPTABLES rule Asuswrt-Merlin 6
Panic Button Wireguard client optional DNS Server setting Asuswrt-Merlin 2
M RT-AX86U and DNS Privacy over USB WAN Asuswrt-Merlin 0
V Local system fails to register address with DNS server Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 838 (members: 18, guests: 820)
Top