DNS over HTTPS/TLS/QUIC Blocking

Burner27 · March 29, 2024, 7:33pm

Hello fellow ITers!!!

Apologies in advance if this topic has been brought up before, but does DNS over HTTPS/TLS/QUIC Blocking on pFsense work? I have several family members that use firefox and although you can turn DNS over HTTPS off in the browser, some members of the family (who know more than they should) have been turning it back on. I know there are ‘feeds’ for this, but is that the best approach?

Found this too https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

But not sure (I know it’s dated 2024) if this is the way to go

Edit: found this too: https://geekistheway.com/2020/06/23/blocking-or-trying-to-dns-over-https/#:~:text=To%20get%20started%2C%20go%20to%20Firewall%20>>%20pfBlockerNG,“DNSBL%20Source%20Definitions”%20so%20it%20looks%20like%20this%3A

What is the best practice?

Thanks to you all!!

xMAXIMUSx · March 29, 2024, 8:00pm

For QUIC:

It is as simple as this. The Alias WebPort has 80 and 443 in it

For DoH:

This can be accomished by pfblockerng with the DOH list
Note: this wont block all of them, but still block the majority.

For DNS over TLS:

You’ll notice I have a block rule for everything that is NOT the interface address. The Alias is for ports 53 and 853. Then create a allow rule for the interface address.

Most of the time DNS over TLS will be 853 but could be on a different port if configured that way.

Burner27 · March 29, 2024, 8:05pm

xMAXIMUsx–

Thank you for the quick and simple solutions!! Question though - for DoH, do I select all the lists under: Firewall - pfBlockerNG - DNSBL - DNSBL SafeSearch - DNS over HTTPS/TLS/QUIC Blocking?

Thank you,
B27

LTS_Tom · March 30, 2024, 12:37pm

Just so you know, blocking QUIC will make for a slower experience on many sites.

Burner27 · March 30, 2024, 3:48pm

Hey Tom,

Thank you for the advice. Primarily I want to stop FF from doing its own DNS resolution. I want to do what xMAXIMUSx suggested, but wasn’t sure if I should enable all the lists.

Thank you,

B27

LTS_Tom · April 3, 2024, 11:27am

I never block QUIC as it leads to a worse experience.

mikeys · April 6, 2024, 9:00am

By how much, substantially less?

Considering blocking it on a UCG-Utra at a family member.

LTS_Tom · April 6, 2024, 9:48am

I am not sure there is an easy way to quantify it, but generally more latency from sites that use QUIC.