A simple question: given the continued use of DNS over HTTPS technology, how can I limit browsing on unwanted sites?
simple answer:
disconnect the internet. 
1 Like
ok I already knew this, so I can guess that there is no way to limit sites if you use this technology
1 Like
indeed quite simple again:
measure
countermeasure
measure
countermeasure
...
repeat
1 Like
The only way I would know how is the as yet unofficial RPZ add on.
It uses Unbounds RPZ to block this sort of thing.
Some in the IPfire development team are not a fan. for some reason?
1 Like
Thanks for your reply,
so if I understand correctly, the RPZ add-on and a block list are used to block this technology.
If so, could you also provide me with a link to the list?
It is a long post.
1 Like
If I remember correctly IPS system has DoT and DoH blocking rules for some providers at Emergingthreats Community emerging-info.rules Ruleset.
Thanks for the report, for now I’ll apply this rule on the online machine.
At the same time, I found a solution adopted by another firewall, which relies on server lists. I’ll also try that solution on a test machine. I’ll need to make some small changes to the system. If it works, I’ll share it with the community.
Another option is a paid DNS service. I used to use cleanbrowsing.org when my son was a teen and it worked very well for blocking categories as well as individual sites. You put the DNS addresses they provide you into IPFire, set up a firewall rule to only allow IPFire’s DNS resolvers, and manage the categories and sites through cleanbrowsing.org’s management interface.
You can do the same with Cloudflare Family for free.
DoH uses TCP/443
HTTPS uses TCP/443
catch22 
3 Likes
I don’t believe Cloudflare’s free service allows for any configurability, though. Such as choosing what categories to block or not block, or adding custom blacklisted or whitelisted sites.
Indeed, I don’t believe that CloudFlare’s site lists can be modified individually.
If your children are old enough to try to circumvent your DNS your probably wasting your time, and should have a conversation with them instead.
3 Likes
just two funny snippets:
Main goal of DNS over HTTPS (DoH) Privacy of DNS queries: prevent on‑path observers (ISPs, networks, Wi‑Fi hotspots) from seeing which domain names a client resolves by encrypting DNS traffic inside HTTPS. Integrity and security: protect DNS responses from tampering (spoofing or injection) by using TLS to authenticate the resolver and encrypt queries/responses. Circumvent censorship and interception: make it harder for network middleboxes to block, censor, or manipulate DNS by hiding DNS in normal HTTPS traffic. Reliability and performance integration: enable reuse of existing HTTPS infrastructure (CDNs, HTTP/2, HTTP/3, connection pooling) to potentially improve resilience and latency compared with unauthenticated UDP. Standardized application‑level control: allow applications (browsers) to choose resolvers independently of the OS/network, giving endpoints more control over privacy, policy, and feature rollout. DoH trades off network visibility and centralized resolver choices (client‑selected resolvers) against privacy and integrity gains; it was designed to make DNS resolution private and authenticated using widely deployed HTTPS/TLS.
and
Disruption of content filters DoH has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; However, there are DNS providers that offer filtering and parental controls along with support for DoH by operating DoH servers. The Internet Service Providers Association (ISPA)—a trade association representing British ISPs—and the also British body Internet Watch Foundation have criticized Mozilla, developer of the Firefox web browser, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU Directive on Copyright in the Digital Single Market, and Donald Trump), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure". In response to the criticism, the ISPA apologized and withdrew the nomination. Mozilla subsequently stated that DoH will not be used by default in the British market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens". Censorship by Chinese government In July 2020, iYouPort, the University of Maryland, and the Great Firewall Report, reported that the Great Firewall (GFW) by the Chinese government blocks TLS connections using the encrypted SNI extension in China.
source:
https://en.wikipedia.org/wiki/DNS_over_HTTPS#Disruption_of_content_filters
1 Like
you are absolutely right, but in my case it is different, the system is installed inside a school, and I think you can understand the problem
I think the solution to your problem can be found in IPFire using Proxy and URLFilter:
and possibly WPAD:
In my case it is already active but, some guys by enabling DNS over Https manage to bypass it
hey, for a managed endpoint! that is simple:
-configure all processes [binaries] to use your local ipfire dns tcp 53
-prohibit changing the configuration
-enroll an allowlist for local binaries
-other binaries are not allowed to execute
easy
it is quite interesting/surprising how the
communication protocol DoH is recognized or
... well ignored ...
that is the main purpose of DoH and lucky you can
affirm it is working as expected
1 Like