DoHblock - Blocking DNS over HTTPS via RPZ

Continuing the discussion from:

I read through many of the PDFs from jpgpi250 and I really like this one for DoH blocking:
https://github.com/jpgpi250/piholemanual/blob/master/doc/Unbound%20response%20policy%20zones.pdf

This looks like it will block DoH servers and (this is the best part) the DoH rpz list is updated most every day. I think RPZ (i.e., Unbound’s Response Policy Zones) will solve the issues found when running it as a blocklist.

So I gave it a try. Installing RPZ on an IPFire device is easy to set-up and activate and to use:

Note
• All of the info below came from jpgpi250’s PDF. And from experiments while using RPZ on IPFire.
• For the most part I followed the steps in the PDF but some instructions changed to fit within IPFire.
Please experiment on your test IPFire system and not on a production system.
Keep in mind this will block DoH servers you may want to access (e.g., doh.dns.apple.com or mozilla.cloudflare-dns.com).

1. Set-up

A new directory is needed. Enter the command:

mkdir -v -p -m755 /etc/unbound/zonefiles

Now edit a new configuration file:

nano /etc/unbound/local.d/doh.conf

And add these lines:

server:
	module-config: "respip validator iterator"

rpz:
	name: doh
 	zonefile: zonefiles/doh.zone
 	url: https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH.rpz
	rpz-action-override: nxdomain
	rpz-log: yes 
	rpz-log-name: doh

exit `nano` and save file.

Quick test

To check for issues in the config file, run the command on IPFire:

unbound-checkconf 

2. Activate

Restart unbound to load config file:

/etc/init.d/unbound restart

3. Test

  1. Pick a DNS server in the DOH.rpz list and run it on a computer connected to IPFire local GREEN or BLUE network.

    dig 1111.cloudflare-dns.com | grep status
    
  2. Look for status: NXDOMAIN (this is good!):

    $ dig 1111.cloudflare-dns.com | grep status
    
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10004
    
  3. Look for this in the IPFire message log:

    ipfire unbound: [12639:0] info: rpz: applied [doh] mozilla.cloudflare-dns.com. rpz-nxdomain 192.168.60.2@55807 mozilla.cloudflare-dns.com. A IN

Monitoring on IPFire

grep rpz /var/log/messages
#    -or-
tail -f /var/log/messages | grep -i rpz

FAQs

  1. How often does RPZ update?
    • per jpgpi250’s PDF the zone file is updated every 5 minutes.
      • This means the DOH.rpz file is download fairly often (too often for me!)
      • I do not know of a way to change this to once per day.
      • But I do have a method to download the DOH.rpz file once per day and move DOH.rpz to the zonefile directory.
    • the DOH.rpz file is updated per an SOA line. DOH.rpz updates once a day per the SOA line and its refresh number.
  2. Does anything need to restart to get a new update?
    • Yes, for a change to the doh.conf config file (see above)
    • No, not for the RPZ zone files
  3. What “bad” can happen from enable DoHblock?
    • There will be LOTS of messages like this in the message log:
    Sep  4 20:01:32 ipfire unbound: [12639:0] info: rpz: applied 
    [doh] doh.dns.apple.com. rpz-nxdomain 192.168.60.2@40360 
    doh.dns.apple.com. HTTPS IN
    ...
    Sep 5 09:38:35 ipfire unbound: [12639:0] info: rpz: applied 
    [doh] mozilla.cloudflare-dns.com. rpz-nxdomain 192.168.60.2@34446 
    mozilla.cloudflare-dns.com. A IN
    
    • On Apple iOS / Mac OS: I know this stops the Apple’s Private Relay and maybe the Apple’s Limit IP Address Tracking.
    • On a Firefox browser: This stops Firefox’s DoH via Cloudflare.
    • Android probably has something similar…

And I am still learning… And more changes coming…


EDIT: I made a few mistakes above concerning RPZ refreshing…

1 Like

EDIT : The items below are NOT needed for DOH.rpz . Something similar might be needed for an allowlist.

To update the RPZ file only once per day:

  1. Edit a new script file:

    nano /etc/fcron.daily/get_doh_rpz.sh
    
  2. And add these lines:

    #!/bin/sh
    theURL="https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH.rpz"
    #	download the new file
    /usr/bin/curl --silent "${theURL}" -o /etc/unbound/zonefiles/doh.rpz
    
  3. Make the script executable:

    chmod -v a+x /etc/fcron.daily/get_doh_rpz.sh
    
  4. Launch it to make sure it works and to download the first doh.rpz file!

    /etc/fcron.daily/get_doh_rpz.sh
    
  5. Now update the configuration file:

    nano /etc/unbound/local.d/doh.conf
    
  6. It should look like this:

    server:
    	module-config: "respip validator iterator"
    
    rpz:
    	name: doh
    	zonefile: /etc/unbound/zonefiles/doh.rpz
    	rpz-action-override: nxdomain
    	rpz-log: yes
    	rpz-log-name: doh
    
  7. To check for issues in the config file, run the command on IPFire:

    unbound-checkconf 
    
  8. Restart unbound to load the recently changed config file:

    /etc/init.d/unbound restart
    

Now Test it (like above) and Monitor the message file.


EDIT: The items above are NOT needed for DOH.rpz. Something similar might be needed for an allowlist.

5 Likes

Excellent job Jon !!

DoH servers blocked: view stats with this command:

EDIT: removed cat command line

[root@ipfire ~] # grep -F '[doh]' /var/log/messages | grep -Eo '([a-zA-Z0-9-]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z]{2,63}' | sort | uniq -c | sort -k1,1nr -k2,2
   4286 mozilla.cloudflare-dns.com
   2252 doh.dns.apple.com
   1104 mask-api.icloud.com
      6 1111.cloudflare-dns.com
      2 cloudflare-dns.com
[root@ipfire ~] # 
1 Like

@peppetech and all others,

Can someone give this a try?

If there is interest (and if the IPFire developers approve), I think I can turn this into an add-on.

4 Likes

I had to download manually ,

https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH.rpz

the domain was N/A, ironically
but now IPfire is able to download using the silent sh script

Works good now. Will keep reporting back.

FYI - I found two ways to do an “allowlist” for DoH (your favorite DoH server in a list that you cannot live without).

The first is 'hacky" and adds a semicolon before the domain name. It changes this:

doh.dns.apple.com CNAME .

to this:

;doh.dns.apple.com CNAME .

and that allows the DoH server to work as usual.

And the second creates an allowlist with a similar format to this:
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH.rpz

My test allowlist is only two domains long.

I still need to finish scripting the second one.

Is this (either of the above) helpful to anyone?

1 Like

The DoHBlocks can also be monitored in the system logs:

This happens automagically with the existing system log code (no changes by me!)

1 Like