Blocking… or trying to… DNS over HTTPS (aka DoH)

Posted on by Thiago Crepaldi

Last Updated on December 30, 2024 by Thiago Crepaldi

This post is complementary to a previous POST protecting your network from malicious DNS. Here we are going to leverage a recent addition to pfBlockerNG: a brand new DoH feed!

What is the big deal in allowing DNS over HTTPS (aka DoH) on your network?! Well, users can bypass the DNS over TLS of your pfSense and use a (malicious) one. Some browsers such as Chrome and Firefox implement DoH and there is no way to turn it off in an easy way.

This blocking will use pfBlockerNG to block URLs from a known list of DoH providers. Up until recently, the challenge was that there was no standard and up to date list of DoH providers, so this approach can be flaky. However, we finally have a free and updated feed we can use, besides the static ones I have scavenged online.

To get started, go to Firewall >> pfBlockerNG >> Feeds and scroll down until you find DoH Alias/category. Not DoH_IP nor DoH_IP6, but DoH. Click on the blue + button to add all feeds as a new block list. A page with a new DNSBL group will open and should add rows to “DNSBL Source Definitions” so it looks like this:

After checking all URLs are ON and the Settings are configured as above, click Save DNSBL Settings button at the bottom of the page. Once a day pfSense will update its block list and block the offending DoH servers.

To verify your setting is working, click on Reports within DNSBL page and looks for DNSBL_DoH at the DENY table.

2 thoughts on “Blocking… or trying to… DNS over HTTPS (aka DoH)

Leave a Reply