[Feature request] Block DoH

[lordraiden]

Although I guess this could be achieved with DNS rewrites, it could be nice to have and out of the box checkbox to implement this

As is written here https://github.com/bambenek/block-doh

I guess implementing all this DNS rewrites woudl do the trick https://github.com/bambenek/block-doh/blob/master/db.doh-redirect

dns.google    CNAME   AdGuardDNS_Server
cloudflare-dns.com    CNAME   AdGuardDNS_Server
dns9.quad9.net    CNAME   AdGuardDNS_Server
dns10.quad9.net    CNAME   AdGuardDNS_Server
doh.cleanbrowsing.org    CNAME   AdGuardDNS_Server
dns.dnsoverhttps.net    CNAME   AdGuardDNS_Server
doh.crypto.sx    CNAME   AdGuardDNS_Server
doh.powerdns.org    CNAME   AdGuardDNS_Server
doh-jp.blahdns.com    CNAME   AdGuardDNS_Server
dns.dns-over-https.com    CNAME   AdGuardDNS_Server
doh.securedns.eu    CNAME   AdGuardDNS_Server
dns.rubyfish.cn    CNAME   AdGuardDNS_Server
doh.dnswarden.com    CNAME   AdGuardDNS_Server
doh.captnemo.in    CNAME   AdGuardDNS_Server
doh.tiar.app    CNAME   AdGuardDNS_Server

Why would I want to block DoH? https://github.com/bambenek/block-doh#why-would-i-want-to-block-doh

[ameshkov]

Redirecting DOH servers to AdGuard makes no sense because our server has a different certificate.

What you want to do is simply to add this list to your DNS blocklists in AdGuard Home: https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt

[lordraiden]

Redirecting DOH servers to AdGuard makes no sense because our server has a different certificate.

What you want to do is simply to add this list to your DNS blocklists in AdGuard Home: https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt

Ok, I understand, anyway you could make this list available, officially maintain it and facilitate its deploymen with just a checkbox.

I think is a pretty important issue so everyone should be able to easily block a tech that makes adguard home totally useless becase it can bypass it.

[Aikatsui]

Block Bypass Methods

https://github.com/AdguardTeam/AdGuardHome/issues/1446#issue-574168506

[ameshkov]

Ok, I understand, anyway you could make this list available, officially maintain it and facilitate its deploymen with just a checkbox.

We could add it to the list of available filter lists: #1325

We would like to avoid maintaining it by ourselves, though.

[Aikatsui]

We could add it to the list of available filter lists: #1325 We would like to avoid maintaining it by ourselves, though.

That's only some. If add then AG needs to maintain it.

[lordraiden]

@ameshkov I think is a pretty easy list to maintain, could be even updated just with the user feedback. The list of bambenek is fine but doesn't look like is updated, and I think this is an important feature since it can bypass Adguard Home security

[ameshkov]

and I think this is an important feature since it can bypass Adguard Home security

I just don't think this can be a viable solution. The only way to truly control the network is proxy-level filtering anyway.

[lordraiden]

and I think this is an important feature since it can bypass Adguard Home security

I just don't think this can be a viable solution. The only way to truly control the network is proxy-level filtering anyway.

@ameshkov

Is better than nothing and it can be implemented in 5 mins

For firefox "use-application-dns.net"

https://isc.sans.edu/forums/diary/Blocking+Firefox+DoH+with+Bind/25316

https://www.reddit.com/r/pfBlockerNG/comments/gf0jnp/dnsbl_safesearch_firefox_doh_blocking_how_does_it/

Please don't close it and reconsider this

[ameshkov]

For firefox "use-application-dns.net"

We do handle it as Firefox suggests, there's no need in an additional filter list for that.