What's the problem?
Some browsers provide DNS over HTTPS (DoH) or DNS over TLS(DoT) features to encrypt the DNS communications. When the feature is enabled, some DNS-based blocking rules in Firewalla may not work as expected.
- family mode
- Adblock
- rules that marked as "Domain-only"
Other rules such as those under the device like porn block will react slower but will block. Example:
- rules that marked as "default"
- IP/Port and regional rules
- Porn / Gaming blocks
How to solve it?
- Turn off the DoH/DoT feature on browsers.
- If you are not able to do that, for example, devices are out of your control. A workaround is to create a set of rules in the Firewalla app to block the DoH/DoT servers. It will force users to use normal DNS to use the browser.
The following list is the DoH servers used by popular browsers for your reference.
DoH Name | Block DoH domain |
---|---|
Google(Public DNS) | dns.google |
Cloudflare | chrome.cloudflare-dns.com |
Cloudflare | mozilla.cloudflare-dns.com |
CleanBrowsing (Family Filter) | doh.cleanbrowsing.org |
NextDNS | chromium.dns.nextdns.io |
NextDNS | firefox.dns.nextdns.io |
Quad9 | dns.quad9.net |
OpenDNS | doh.opendns.com |
There is a list of popular DoT servers.
DoT Name |
Block DoT domain |
---|---|
Google DNS |
dns.google |
Cloudflare |
cloudflare-dns.com |
Quad9 |
dns.quad9.net |
Cleanbrowsing |
dot.cleanbrowsing.org |
NextDNS |
dns.nextdns.io |
ADGuard |
dns.adguard.com |
LibreDNS |
dot.libredns.gr |
DNSlify |
dns.dnslify.com |
Quadrant |
dns-tls.qis.io |
Note:
1. Chrome and Microsoft Edge will NOT be able to access any websites if DoH/DoT is enabled in browsers and DoH/DoT servers are blocked by Firewalla.
2. Firefox will fall back to plain-text DNS if DoH/DoT servers are blocked by Firewalla.
Comments
0 comments
Please sign in to leave a comment.