Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Wed Jun 22, 2022 20:41 Post subject: dns over https not getting redirected
on r49289 im testing icloud relay and to see how it works (it shouldnt) with my dns filter list. it seems icloud relay uses dns over https, and the 2 icloud relay domains mask.icloud.com and mask-h2.icloud.com are already blocked to 0.0.0.0 and ::. but my iphone can still bypass my entire blocklist if i enable icloud relay.
i already have forced dns redirection and forced dns redirection (DoT) enabled. how can i force DoH to do the same and be overridden by the local dns? _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Wed Jun 22, 2022 22:11 Post subject:
cloudflare right now ipv4/6. the blocklist is handled by unbound and unbound checks local-zone before forwarding.. why im confused _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 23, 2022 0:57 Post subject: Re: dns over https not getting redirected
tatsuya46 wrote:
i already have forced dns redirection and forced dns redirection (DoT) enabled. how can i force DoH to do the same and be overridden by the local dns?
It's a million dollar question !!!
I still don't get how Force DoT works...if it captures..INBOUND 853 requests...witch are encrypted...and forces them lets say trough a normal forced DNS port 53...than what? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
This commit only seems to apply to dnsmasq; but conditional compile options are present for smartdns and unbound in the affected file. Shouldn't dnsmasq forward requests to the proxy of choice (smartdns / unbound) or vice-versa? Visual lecture aids are welcome to explain the "problem".
https://svn.dd-wrt.com/changeset/49289 _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
You cannot redirect DoH, your only option is to block all DoH addresses with IPSET.
The IPSET guide (a sticky in the Advanced Networking forum) has a paragraph about this.
But even then tech save users will use a proxy server they setup in the cloud or even use a VPN (you can use IPSET to block all known VPN servers), but again if they setup their own in the cloud (which is really easy and free, I am running a free Oracle Cloud server with OpenVPN and WireGuard) you are toast.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 23, 2022 11:13 Post subject:
if im not wrong this option persist in dnscrypt-proxy v2
use-application-dns.net for force/check the use of firefox DOH..and overrides it..
if im not wrong there was a thread somewhere around DDWRT where a chap was looking for this option where you can add this in DNSmasq exactly like egc patch address=/use-application-dns.net in order to prevent the use of DOH and than you get the slap in the face with tor browsers like opera GX and others..
This reminds me, once i was called to my friend private school to consult the Internet filtering options... kids are so crafty and clever this days..
and yep IPset seems to be the best solution so far...even if its a bit of an effort...to deploy and set up... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913