Option to block DNS over TLS/HTTPS does not seem very effective

Felipe_Rubio · June 16, 2024, 3:21pm

Hi,

I want to use an ad-blocking DNS server (Control D). I included it as the default DNS server for all WANs and forced redirection to the DNS cache using “service forwarding”. All is working fine.

The only missing link is blocking any possible bypass using DoT or DoH. I enabled the option to block DoT and DoH under Peplink’s application blocking and tried to use the included “secure DNS” servers in Google Chrome.

Expected Result: All common encrypted DNS should be blocked (at least the default ones from Chrome).
Result: Google DNS (8.8.8.8) as well as OpenDNS were blocked. Cloudflare DNS and CleanBrowsing are unblocked.

Is this expected behavior? Is this blocking system based on a host list? How are updates delivered?
Device: 20x running 8.4.1

Thanks!

Felipe_Rubio · June 17, 2024, 6:54pm

Ticket #24060639 opened today.

Daniel_Eble · September 2, 2024, 2:00pm

I was surprised to see DoH blocking in the UI, as it is designed to be difficult to block effectively and selectively. In my network, instead of trying to use the Peplink to block DoH, I have configured the OS and web browsers on our devices not to make DoH requests.

I was also surprised to see DoT and DoH lumped together in the UI. Even if the feature blocked DoH 100% effectively, I would not use it because I do not also want to block DoT requests from every device on my network.

Daniel_Eble · September 2, 2024, 5:23pm

In conjunction with the above, Peplink might wish to investigate AdGuard services and blocking for the DNSCrypt application. I just tried enabling application blocking for DNSCrypt and saw that it did not block a few AdGuard and CleanBrowsing queries.