1

Right now I am redirecting all local network DNS traffic to my Pi-hole install, since some device do or may in the future use hardcoded DNS servers to bypass filtering.

Since DNS-over-HTTPS and DNS-over-TLS are becoming more common, I would like to know if it is possible to intercept that kind of traffic to redirect it to my Pi-hole install for filtering purposes.

If that is not possible (as I would expect), I wonder whether it's possible to at least drop said connections so that said devices will obtain errors and hopefully fall back to the DHCP-advertised (local) DNS server.

FarO
  • 313
  • 2
  • 7
  • Some well-behaved applications may allow you to disable it from the network: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet – multithr3at3d Mar 18 '20 at 21:50

1 Answers1

2

Redirecting the requests to your Pi-hole so that they gets answered there is not possible since your Pi-hole DNS server does not have the expected certificate.

Blocking DNS over TLS can be done by blocking outgoing port 853. How this blocking can be achieved in your specific but unknown network is unknown but usually a perimeter firewall can do it.

Blocking DNS over HTTPS is much harder since it uses the same port as normal HTTPS traffic (443). If you know the target IP then you could block this, otherwise you might try to detect such traffic due to specific communication pattern.

... since some device do or may in the future use hardcoded DNS servers to bypass filtering.

If they do this they might also use something else than DNS to get there information or use DNS tunneled inside other protocols or on non-standard ports. You cannot reliably filter something here which explicitly tries to bypass any filtering.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424