DNS resolver blocklists

hagezi / dns-blocklists

DNS-Blocklists: For a better internet - keep the internet clean!

GNU General Public License v3.0

5.83k stars 200 forks source link

DNS resolver blocklists #3290

Closed mvevitsis closed 1 month ago

mvevitsis commented 1 month ago

To ensure the bootstrap is your DNS server you must redirect or block standard DNS outbound (TCP/UDP 53) and block all DNS over TLS (TCP 853) outbound.

Wouldn't it be best to block UDP for 853 as well (DoQ)?

hagezi commented 1 month ago

Yes, that's missing from the text.

mvevitsis commented 1 month ago

Also might want a warning with the DoH IP blocklist that quad9 can use port 5053 instead of 443.

hagezi commented 1 month ago

fixed in next release