
How do we block domains once apps incorporate their own DNS over HTTPS? - BLKNSLVR
Original DNS was easy to see and manipulate, and that was a problem once it left the private network - it enabled ISP&#x27;s and other close-hop providers to catch a glimpse of what is being viewed online.<p>Inside the private network it was great because it could be detected and manipulated as necessary - redirecting rogue DNS queries to the desired DNS servers if specific software and apps were attempting to use their own hard-coded DNS servers (to bypass ad-blocking etc.), blocking unwanted domains and sites, etc.<p>Using Pi-Hole my current DNS request block percentage is 45.8%. I specifically redirect DNS requests through it using firewall rules. If I remove or disable the DNS redirection firewall rule this percentage falls to around 25 - 30%, meaning that there are a number of internal devices and software that are using specific, custom DNS servers rather than what my DHCP server hands out.  I don&#x27;t like that, but vanilla DNS lets me close that potential security hole.<p>What if these devices and software start using internal DNS over HTTPS (or any of the other forms of non-inspectable or non-specific-DNS-port DNS requests) settings that are non-configurable?<p>How do we even detect that it&#x27;s occurring, never mind being able to manipulate it to comply with the &#x27;policies&#x27; of our private networks?
======
mirimir
If this becomes prevalent, there will be considerable outrage. So people will
be discovering which devices and apps use tunneled DNS. Restricting the
universe to open-source stuff, that shouldn't be that hard, just from the
code.

Also, although blocking domains will be harder, you can always block IP
addresses and ranges. DNS requests may be tunneled, but apps are still just
connecting to IP addresses.

So you can compare IP addresses resolved by trusted DNS servers with those
that an app is requesting. And block whatever you don't want. It could become
tedious, but one could build something like Pi-Hole that was easily
configurable on the fly.

------
jlgaddis
Right now, it's quite easily to turn off Firefox's use of DNS-over-HTTPS,
using about:config (or, like me, blocking the "canary domain" via my internal
DNS servers).

On a larger scale, however, this won't work. We can't expect every application
to honor such "workarounds" \-- they will, of course, do what's best for them.

That's my biggest problem with this "movement" \-- removing the choice from
the end user (at home) or those managing the network (at work).

Yet again, I think it mostly comes down to "we know what's best for you".

------
heavyset_go
Chromecasts already do this with Google's DNS. If you try to reroute DNS
traffic to the servers of your choice, or block Google's DNS servers, the
Chromecast will refuse to function.

------
mirimir
Just don't use those devices or apps.

Or perhaps there's some way to MitM them?

~~~
BLKNSLVR
It won't necessarily be obvious which devices or apps are doing it.

One of the reasons DNS over HTTPS has gained popularity is because it's not
possible to MitM it (easily, at least). That's kinda the point of it's
existence.

~~~
mirimir
If devices do it, that will undoubtedly come out.

For particular apps, you can check against wget, w3m, etc. Or just dig. Using
whatever DNS server you specify.

