search

crypt0rr / public-doh-servers

A simple list with public DNS-over-HTTPS (DOH) providers so you can easily block them.
MIT License
35 stars 8 forks source link

Are DoH IP-addresses used for other services as well? #12

Closed MartinH80 closed 2 months ago

MartinH80 commented 4 months ago

I'm using the provided lists (thanks btw!) on my opnsense firewall to block access from my local network to any dns-over-https server.

Now I ran into an issue with e.g. https://discourse.pi-hole.net.

The first GET is successful. The following requests fail as the connection is blocked by the firewall. The resolved IP-addresses are on the blocklist.

My browser if Firefox v125 with 'DNS over HTTPS' set to 'off'.

Is cloudflare using the same IP-addresses for its DoH servers and for other services (ddos protection/load-balancing/..) or can they trick Firefox to do a DoH request even if it is told not to?

crypt0rr commented 4 months ago

Hi, I tried to reproduce the issue but was not able to. The URL is hosted in AWS (52.14.183.198), this is not on the blocklist as it stands.

Any specific other things that I can have a look at to reproduce the issue for you?

MartinH80 commented 4 months ago

Hi, thanks for having a look into this. Maybe I should have been more specific on this.

The main page is at discourse.pi-hole.net, but when the page loading it also calls discourse-cdn.pi-hole.net. This domain resolves to 84.17.46.53 and 84.17.46.49.

Note: I only did 3 lookups, to google dns, quad9 and cloudflare. There might be more ip-addresses for this domain.

These IP-addresses are here on the blocklist.

I can't find the source anymore, but I did read a blog post last week somewhere that was explaining exactly the same issue. There doesn't seem to be a perfect solution that always works.

I was asking myself if using a dns-over-https requires a traditional dns call on port 53 first to resolve the doh-server ip-address. Obviously you need the ip-address somehow, but the larger parties as google could just hardcode these in their software. I asked ChatGPT on this. It confirms that a traditional dns query might be required, but that it is not necessarily. So blocking these on my pi-hole won't work either.

So I conclude as well: mixing traditional https and dns queries (which are not hypertext) was a bad idea for these kind of usecases. My home network is quite overengineered already and I don't want to do https inspection in the firewall and distribute certificates to all my devices..

What do you think about this situation?

crypt0rr commented 4 months ago

I don't have a direct fix for this either.. Just validated that these IP's are indeed offering DOH, they do.