Thank You

[pallebone]

Hi there,

Thank you for maintaining this DOH Ipv4 list. It is very useful :)

Are there any other lists you are aware of? Also on your page you say you only block port 443 out to these IP's. I note some DOH provider use a different port FYI (eg: dnscrypt.ca is using port 453 see https://dnscrypt.ca/) As a result I just block any traffic to these IP's and make use of a whitelist if required.

These are the IP lists I personally currently use on firewall:

DNSManualDNSList (manual added IP's), 1.1.1.1,1.0.0.1,1.1.1.2,1.0.0.2,1.1.1.3,1.0.0.3,104.17.64.4,104.17.65.4 DNSOneoffdallasDohservers, https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt DNSGreatWall, https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4 DNSjpgph https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt

On Pihole I also block the following: https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt

If you are aware of any further lists it would be helpful to know. I think blocking the DNS names of DOH providers is also useful.

Kind regards Peter

[jpgpi250]

port 453: I've setup my pfsense (recommendation by a pfsense expert on the forum) to block all, than allow only specific ports. The (my) allowed ports are:21, 22, 25, 53, 80, 110, 123, 443, 465, 547, 587, 993, 995. all other ports are blocked OR allowed with a specific rule for a specific destination (example: allow from pihole to bothouse.pi-hole.net, port 9998 - required to upload pihole debug log). This works very good for me, and eliminates the need to block generic ports such as 453 (your example) or 853 (DoT). If you want / need to block additional ports, that is up to you, you may want to ask yourself why you permit them in the first place.

DNSOneoffdallasDohservers, DNSGreatWall: The resulting IPs from these lists are included in my consolidated list, no need to add them manually / separately. You can find the lists I use in my doc (http://users.telenet.be/MySQLplaylist/blockDOH.pdf).

Any other lists? NO, if I'm made aware of new usable lists, I investigate the content, and add them to the list of DOH lists.

1.1.1.1,1.0.0.1,1.1.1.2,1.0.0.2,1.1.1.3,1.0.0.3,104.17.64.4,104.17.65.4, added by you manually: If you're sure these are DoH servers, please create a GitHub page (preferably in the a already known format, such as TheGreatWall.txt) and report the url to me. I will add the list to the list of lists, eliminating the need to add them manually.

Adding lists to pihole: does help if the device is using regular DNS (port 53) to find the address of the DoH server, however, devices with hardcoded DoH addresses will not be impacted. I've chosen not to add the DNS names to pihole, however, it doesn't harm to do this, it does make diagnosing possible problems (find exclusions) more difficult...

Thank you for your comment.

[pallebone]

Hi,

"port 453: I've setup my pfsense (recommendation by a pfsense expert on the forum) to block all, than allow only specific ports. The (my) allowed ports are:21, 22, 25, 53, 80, 110, 123, 443, 465, 547, 587, 993, 995. all other ports are blocked OR allowed with a specific rule for a specific destination (example: allow from pihole to bothouse.pi-hole.net, port 9998 - required to upload pihole debug log). This works very good for me, and eliminates the need to block generic ports such as 453 (your example) or 853 (DoT). If you want / need to block additional ports, that is up to you, you may want to ask yourself why you permit them in the first place."

Can you link me to this forum post so i can read it?

"1.1.1.1,1.0.0.1,1.1.1.2,1.0.0.2,1.1.1.3,1.0.0.3,104.17.64.4,104.17.65.4, added by you manually: If you're sure these are DoH servers, please create a GitHub page (preferably in the a already known format, such as TheGreatWall.txt) and report the url to me. I will add the list to the list of lists, eliminating the need to add them manually."

They are commented out at the top of this list: https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt

Thanks for your reply :) Pete

[jpgpi250]

Can you link me to this forum post so i can read it?

I can no longer find the post (pfsense forum migration to netgate?), I used to setup this (block all, allow specific), however the pfsense documentation (Firewall Rule Best Practices - https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html) also states this is the best approach:

A default deny strategy for firewall rules is the best practice. Firewall administrators should configure rules to permit only the bare minimum required traffic for the needs of a network, and let the remaining traffic drop with the default deny rule built into pfSense® software

WARNING. If you are going to change from default allow to default deny, ensure you enable anti-lockout (system / advanced / admin access), this to ensure you can always access the web interface.

1.1.1.1,1.0.0.1,1.1.1.2,1.0.0.2,1.1.1.3,1.0.0.3,104.17.64.4,104.17.65.4, They are commented out at the top of this list

I'm just consolidating lists, not changing them. If you want these IP addresses to be activated, please open an issue on the GitHub page of oneoffdallas. As soon as he (or another maintainer of a DoH list) lists them as DoH servers, they will be in my consolidated list.

[pallebone]

Hi,

Thanks for the info on the Firewall Best Practice, I will look into how to make this work on my network. I agree it makes sense and will need implementing.

Regards to the manual IP's - not an issue. I manually add them because oneoffdallas cannot add them due to his use of those specific DNS servers. Manually adding them works fine for me :)

Many thanks again, wish you all the best :)

Laters

Pete