DNS over HTTPS/TLS/QUIC Blocking

1

Hello fellow ITers!!!

Apologies in advance if this topic has been brought up before, but does DNS over HTTPS/TLS/QUIC Blocking on pFsense work? I have several family members that use firefox and although you can turn DNS over HTTPS off in the browser, some members of the family (who know more than they should) have been turning it back on. I know there are ‘feeds’ for this, but is that the best approach?

Found this too https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

But not sure (I know it’s dated 2024) if this is the way to go

Edit: found this too: https://geekistheway.com/2020/06/23/blocking-or-trying-to-dns-over-https/#:~:text=To%20get%20started%2C%20go%20to%20Firewall%20>>%20pfBlockerNG,“DNSBL%20Source%20Definitions”%20so%20it%20looks%20like%20this%3A

What is the best practice?

Thanks to you all!!

2

For QUIC:

It is as simple as this. The Alias WebPort has 80 and 443 in it

image
image1145×175 20 KB

For DoH:

This can be accomished by pfblockerng with the DOH list
Note: this wont block all of them, but still block the majority.

For DNS over TLS:

You’ll notice I have a block rule for everything that is NOT the interface address. The Alias is for ports 53 and 853. Then create a allow rule for the interface address.

Most of the time DNS over TLS will be 853 but could be on a different port if configured that way.

image
image1144×72 13.3 KB

3

xMAXIMUsx–

Thank you for the quick and simple solutions!! Question though - for DoH, do I select all the lists under: Firewall - pfBlockerNG - DNSBL - DNSBL SafeSearch - DNS over HTTPS/TLS/QUIC Blocking?

Thank you,
B27

4

Just so you know, blocking QUIC will make for a slower experience on many sites.

5

Hey Tom,

Thank you for the advice. Primarily I want to stop FF from doing its own DNS resolution. I want to do what xMAXIMUSx suggested, but wasn’t sure if I should enable all the lists.

Thank you,

B27

6

I never block QUIC as it leads to a worse experience.

1 Like
7

By how much, substantially less?

Considering blocking it on a UCG-Utra at a family member.

8

I am not sure there is an easy way to quantify it, but generally more latency from sites that use QUIC.