IPFire is blocking DoH with the “URL filter settings” but I am not sure how it works if DoH is using “HTTPS” encrypted traffic.
Look at URL filter settings and you will see a checkmark for “doh:” which is usually the case
I don’t use the URL Filter myself but looking through the page I did not find doh but then I looked at the University of Toulouse blacklist and saw that it had doh listed so I am presuming that you have the Toulouse blacklist loaded.
Thinking about the process a bit more then even a DoH packet will still have a destination IP which can be filtered or blocked. So if you have an up to date list of all DoH resolvers then you can block them. What you can’t do is filter the web site urls that are being fed to the DoH resolver. As long as the DoH block list has 100% coverage then the DNS requests can be blocked from being sent out. You are correct with that.
One thing I have noticed is that in the doh lists there are domains listed that also do DoT with no differentiation between the domain for DoH or DoT so that filter might also start blocking the DoT DNS requests from Unbound, although I am not sure about that.
One example is dns.digitale-gesellschaft.ch which is listed in the Toulouse doh list but is also the hostname to use for DNS over TLS in IPFire.
5 Likes
Well I think at this stage of discussion there should be a setback to discuss the strategy.
There is always a trade off between blocking traffic in the firewall and/or the client.
For me blocking traffic in the firewall should be only for safety purpose which is relevant to all users.
Blocking traffic on the area of a browser at the client is more for annoyance purpose. I am aware that for all individual blocking the work goes up compared to a centralized solution. On the other hand customers annoyance by over blocking shrinks.
Personally I take care for all security relevant blocking by the firewall and for add blocking I use ublock origin on the browser. For PCs works this fine but unfortunately not for androids etc.
One should not overload and make a firewall to complicate so my personal point of view.