Adguardhome: [Feature request] Block DoH
Although I guess this could be achieved with DNS rewrites, it could be nice to have and out of the box checkbox to implement this
As is written here https://github.com/bambenek/block-doh
I guess implementing all this DNS rewrites woudl do the trick
https://github.com/bambenek/block-doh/blob/master/db.doh-redirect
dns.google CNAME AdGuardDNS_Server
cloudflare-dns.com CNAME AdGuardDNS_Server
dns9.quad9.net CNAME AdGuardDNS_Server
dns10.quad9.net CNAME AdGuardDNS_Server
doh.cleanbrowsing.org CNAME AdGuardDNS_Server
dns.dnsoverhttps.net CNAME AdGuardDNS_Server
doh.crypto.sx CNAME AdGuardDNS_Server
doh.powerdns.org CNAME AdGuardDNS_Server
doh-jp.blahdns.com CNAME AdGuardDNS_Server
dns.dns-over-https.com CNAME AdGuardDNS_Server
doh.securedns.eu CNAME AdGuardDNS_Server
dns.rubyfish.cn CNAME AdGuardDNS_Server
doh.dnswarden.com CNAME AdGuardDNS_Server
doh.captnemo.in CNAME AdGuardDNS_Server
doh.tiar.app CNAME AdGuardDNS_Server
Why would I want to block DoH?
https://github.com/bambenek/block-doh#why-would-i-want-to-block-doh
lordraiden
All 9 comments
Redirecting DOH servers to AdGuard makes no sense because our server has a different certificate.
What you want to do is simply to add this list to your DNS blocklists in AdGuard Home:
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
ameshkov
on 23 Apr 2020
Redirecting DOH servers to AdGuard makes no sense because our server has a different certificate.
What you want to do is simply to add this list to your DNS blocklists in AdGuard Home:
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
Ok, I understand, anyway you could make this list available, officially maintain it and facilitate its deploymen with just a checkbox.
I think is a pretty important issue so everyone should be able to easily block a tech that makes adguard home totally useless becase it can bypass it.
lordraiden
on 24 Apr 2020
Block Bypass Methods
https://github.com/AdguardTeam/AdGuardHome/issues/1446#issue-574168506
Aikatsui
on 26 Apr 2020
Ok, I understand, anyway you could make this list available, officially maintain it and facilitate its deploymen with just a checkbox.
We could add it to the list of available filter lists: #1325
We would like to avoid maintaining it by ourselves, though.
ameshkov
on 27 Apr 2020
We could add it to the list of available filter lists: #1325
We would like to avoid maintaining it by ourselves, though.
That's only some. If add then AG needs to maintain it.
Aikatsui
on 28 Apr 2020
@ameshkov I think is a pretty easy list to maintain, could be even updated just with the user feedback.
The list of bambenek is fine but doesn't look like is updated, and I think this is an important feature since it can bypass Adguard Home security
lordraiden
on 29 Apr 2020
and I think this is an important feature since it can bypass Adguard Home security
I just don't think this can be a viable solution. The only way to truly control the network is proxy-level filtering anyway.
ameshkov
on 29 Apr 2020
and I think this is an important feature since it can bypass Adguard Home security
I just don't think this can be a viable solution. The only way to truly control the network is proxy-level filtering anyway.
@ameshkov
Is better than nothing and it can be implemented in 5 mins
For firefox "use-application-dns.net"
https://isc.sans.edu/forums/diary/Blocking+Firefox+DoH+with+Bind/25316
Please don't close it and reconsider this
lordraiden
on 7 May 2020
For firefox "use-application-dns.net"
We do handle it as Firefox suggests, there's no need in an additional filter list for that.
ameshkov
on 7 May 2020
Related issues
ammnt
路
3Comments
sosp
路
3Comments
snhv
路
3Comments
ajongsma
路
3Comments
AnthonyBe
路
3Comments
Most helpful comment
https://github.com/AdguardTeam/AdGuardHome/issues/1446#issue-574168506