Yeah it was a difficulty I realized. I wasn’t aware of pinholes CNAME blocking that screwed with it.
1 Like
Working on implementing this
1 Like
Basically im nearly there. I prefer to compile it myself and not pull it from cargo. Often there are dependencies that break. You can do it either way
[root@bifrost ~]$ doh-proxy --help
doh-proxy 0.9.4
Frank Denis <[email protected]>
A DNS-over-HTTPS (DoH) and ODoH (Oblivious DoH) proxy
USAGE:
doh-proxy [OPTIONS]
OPTIONS:
-b, --local-bind-address <local_bind_address> Address to connect from
-c, --max-clients <max_clients> Maximum number of simultaneous clients [default: 512]
-C, --max-concurrent <max_concurrent> Maximum number of concurrent requests per client [default: 16]
-E, --err-ttl <err_ttl> TTL for errors, in seconds [default: 2]
-g, --public-address <public_address> External IP address DoH clients will connect to
-h, --help Print help information
-H, --hostname <hostname> Host name (not IP address) DoH clients will use to connect
-i, --tls-cert-path <tls_cert_path> Path to the PEM/PKCS#8-encoded certificates (only required for built-in TLS)
-I, --tls-cert-key-path <tls_cert_key_path> Path to the PEM-encoded secret keys (only required for built-in TLS)
-j, --public-port <public_port> External port DoH clients will connect to, if not 443
-K, --disable-keepalive Disable keepalive
-l, --listen-address <listen_address> Address to listen to [default: 127.0.0.1:3000]
-O, --allow-odoh-post Allow POST queries over ODoH even if they have been disabed for DoH
-p, --path <path> URI path [default: /dns-query]
-P, --disable-post Disable POST queries
-t, --timeout <timeout> Timeout, in seconds [default: 10]
-T, --min-ttl <min_ttl> Minimum TTL, in seconds [default: 10]
-u, --server-address <server_address> Address to connect to [default: 9.9.9.9:53]
-V, --version Print version information
-X, --max-ttl <max_ttl> Maximum TTL, in seconds [default: 604800]
[root@bifrost ~]$ whereis doh-proxy
doh-proxy: /home/root/.rustc/bin/doh-proxy
What I need to do next is make sure it has a systemD process that runs in userspace not root and configure it properly
Quick note for anyone who desires to do the same thing. Remember multi-user.target is not a user target. That is a system target
root@bifrost ~]$ systemctl --user list-units --type=target
UNIT LOAD ACTIVE SUB DESCRIPTION
basic.target loaded active active Basic System
default.target loaded active active Main User Target
paths.target loaded active active Paths
sockets.target loaded active active Sockets
timers.target loaded active active Timers
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
5 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[root@bifrost ~]$
Its worth noting that you also SHOULD not just store it in /etc/systemd/user. You should store it in ~/.config/systemd/user/ and ln -S it to /etc/systemd/user so you can modify it without root privs
1 Like
BOOM BABY
[USERNAME@bifrost nginx]$ curl --doh-url https://<mydnsURL>/dns-query icanhazip.com
192.81.134.12
[USERNAME@bifrost nginx]$
1 Like
I moved to stability. Never again
A question was posited in the lounge as to how to block certain service from phoning home by @bedHedd and @SgtAwesomesauce
Lets get into it
Okay use the no google dns list here. Also if you need to and you have your own pihole and dont want any other DNS services use (may cause breakage). Here is a list of all the doh resolvers to block. You can then block DoT port 853 and 8053 in your firewall to prevent it from being used by the app to bypass your dns blockage
# Aaflalo
0.0.0.0 dns.aaflalo.me
0.0.0.0 dns-nyc.aaflalo.me
# AdGuard
0.0.0.0 dns.adguard.com
0.0.0.0 dns-family.adguard.com
# Alekberg
0.0.0.0 dns.alekberg.net
0.0.0.0 dns2.alekberg.net
0.0.0.0 dnsse.alekberg.net
# AliDNS
0.0.0.0 dns.alidns.com
# Andrews & Arnold
0.0.0.0 dns.aa.net.uk
# Association 42l
0.0.0.0 doh.42l.fr
# AT&T
0.0.0.0 dohtrial.att.net
# BlahDNS
0.0.0.0 doh-fi.blahdns.com
0.0.0.0 doh-jp.blahdns.com
0.0.0.0 doh-de.blahdns.com
0.0.0.0 doh-sg.blahdns.com
# Brahma World
0.0.0.0 dns.brahma.world
# Canadian Shield
0.0.0.0 private.canadianshield.cira.ca
0.0.0.0 protected.canadianshield.cira.ca
0.0.0.0 family.canadianshield.cira.ca
# Captnemo
0.0.0.0 doh.captnemo.in
# Cisco
0.0.0.0 doh.opendns.com
0.0.0.0 doh.familyshield.opendns.com
# Clean Browsing
0.0.0.0 family-filter-dns.cleanbrowsing.org
0.0.0.0 adult-filter-dns.cleanbrowsing.org
0.0.0.0 security-filter-dns.cleanbrowsing.org
0.0.0.0 doh.cleanbrowsing.org
# Cloudflare
0.0.0.0 one.one.one.one
0.0.0.0 mozilla.cloudflare-dns.com
0.0.0.0 1dot1dot1dot1.cloudflare-dns.com
0.0.0.0 cloudflare-dns.com
0.0.0.0 dns64.cloudflare-dns.com
0.0.0.0 security.cloudflare-dns.com
0.0.0.0 family.cloudflare-dns.com
# Comcast
0.0.0.0 doh.xfinity.com
# Comodo
0.0.0.0 ns1.recursive.dnsbycomodo.com
0.0.0.0 ns2.recursive.dnsbycomodo.com
# Commons-host
0.0.0.0 commons.host
# ContainerPI
0.0.0.0 dns.containerpi.com
# Cox
0.0.0.0 dohdot.coxlab.net
# Crypto.sx
0.0.0.0 doh.crypto.sx
0.0.0.0 doh-ipv6.crypto.sx
# Digitale Gesellschaft
0.0.0.0 dns.digitale-gesellschaft.ch
# Doh.li
0.0.0.0 doh.li
# DNScrypt (DoH)
0.0.0.0 dns1.dnscrypt.ca
0.0.0.0 dns2.dnscrypt.ca
# DNSforge
0.0.0.0 dnsforge.de
# DNS home
0.0.0.0 dns.dnshome.de
# DNS lify
0.0.0.0 doh.dnslify.com
0.0.0.0 a.ns.dnslify.com
0.0.0.0 b.ns.dnslify.com
0.0.0.0 a.safe.ns.dnslify.com
0.0.0.0 b.safe.ns.dnslify.com
0.0.0.0 a.family.ns.dnslify.com
0.0.0.0 b.family.ns.dnslify.com
# DNS Seby
0.0.0.0 doh.seby.io
0.0.0.0 doh-2.seby.io
# DNS.SB
0.0.0.0 doh.dns.sb
# Dyn
0.0.0.0 resolver1.dyndnsinternetguide.com
0.0.0.0 resolver2.dyndnsinternetguide.com
# FFmuc
0.0.0.0 doh.ffmuc.net
# Foundation for Applied Privacy
0.0.0.0 doh.applied-privacy.net
# GeekDNS
0.0.0.0 dns.233py.com
0.0.0.0 i.233py.com
0.0.0.0 wdns.233py.com
0.0.0.0 ndns.233py.com
0.0.0.0 sdns.233py.com
# Google
0.0.0.0 dns.google
0.0.0.0 google-public-dns-a.google.com
0.0.0.0 google-public-dns-b.google.com
0.0.0.0 dns64.dns.google
# Hostux
0.0.0.0 dns.hostux.net
# Ibuki
0.0.0.0 ibuki.cgnat.net
# Ibksturm
0.0.0.0 ibksturm.synology.me
# Jcdns
0.0.0.0 jcdns.fun
# Lelux
0.0.0.0 resolver-eu.lelux.fi
# LibreDNS
0.0.0.0 doh.libredns.gr
# Mrkaran
0.0.0.0 dns.mrkaran.dev
# NekomimiRouter
0.0.0.0 dns.dns-over-https.com
# NextDNS
0.0.0.0 dns.nextdns.io
# NixNet
0.0.0.0 uncensored.any.dns.nixnet.xyz
0.0.0.0 adblock.any.dns.nixnet.xyz
0.0.0.0 uncensored.lv1.dns.nixnet.xyz
0.0.0.0 adblock.lv1.dns.nixnet.xyz
0.0.0.0 uncensored.ny1.dns.nixnet.xyz
0.0.0.0 adblock.ny1.dns.nixnet.xyz
0.0.0.0 uncensored.lux1.dns.nixnet.xyz
0.0.0.0 adblock.lux1.dns.nixnet.xyz
# OpenDNS
0.0.0.0 resolver1.opendns.com
0.0.0.0 resolver2.opendns.com
0.0.0.0 resolver1-fs.opendns.com
0.0.0.0 resolver2-fs.opendns.com
0.0.0.0 resolver1.ipv6-sandbox.opendns.com
0.0.0.0 resolver2.ipv6-sandbox.opendns.com
# OSZX (PumpleX)
0.0.0.0 dns.oszx.co
0.0.0.0 dns.pumplex.com
# Pi-DNS
0.0.0.0 doh.centraleu.pi-dns.com
0.0.0.0 doh.northeu.pi-dns.com
0.0.0.0 doh.westus.pi-dns.com
0.0.0.0 doh.eastus.pi-dns.com
# PowerDNS
0.0.0.0 doh.powerdns.org
# Qua9
0.0.0.0 dns.quad9.net
0.0.0.0 dns9.quad9.net
0.0.0.0 dns10.quad9.net
0.0.0.0 dns11.quad9.net
0.0.0.0 rpz-public-resolver1.rrdns.pch.net
0.0.0.0 dns-nosec.quad9.net
# Quad101
0.0.0.0 dns.twnic.tw
# Rubyfish
0.0.0.0 v6.rubyfish.cn
0.0.0.0 dns.rubyfish.cn
0.0.0.0 ea-dns.rubyfish.cn
0.0.0.0 uw-dns.rubyfish.cn
# Secure DNS
0.0.0.0 doh.securedns.eu
0.0.0.0 ads-doh.securedns.eu
# Snopyta
0.0.0.0 fi.doh.dns.snopyta.org
# Switch
0.0.0.0 dns.switch.ch
# Tiarap
0.0.0.0 doh.tiar.app
0.0.0.0 doh.tiarap.org
0.0.0.0 jp.tiar.app
0.0.0.0 jp.tiarap.org
# t53
0.0.0.0 dns.t53.de
# Xfinity (Comcast)
0.0.0.0 doh.xfinity.com
# Others
0.0.0.0 dns.dnsoverhttps.net
0.0.0.0 doh.dnswarden.com
0.0.0.0 doh.appliedprivacy.net
0.0.0.0 public.dns.iij.jp
0.0.0.0 jp.gridns.xyz
0.0.0.0 dns.flatuslifir.is
0.0.0.0 odvr.nic.cz
0.0.0.0 rumpelsepp.org
0.0.0.0 ordns.he.net
0.0.0.0 rdns.faelix.net
0.0.0.0 adfree.usableprivacy.net
Here is also a breakdown of a lot of DNS server IPs to block
# Optionally include Cloudflare's main addresses (Google and Quad9 included below)
# 1.1.1.1
# 1.0.0.1
#
# security.cloudflare-dns.com - see IPs further down this list
# 1.1.1.2
# 1.0.0.2
#
# family.cloudflare-dns.com
# 1.1.1.3
# 1.0.0.3
# dns.cloudflare.com
# (optional because cdnjs.cloudflare.com uses the same IPs)
# 104.16.132.229
# 104.16.133.229
# NOTES
# Quad9 is also using Port 5053 for DoH: (last checked 11 Jan 2020)
# https://www.quad9.net/doh-quad9-dns-servers/#UsingDoHwithQuad9DNSServers-AdditionalInformation
#
# dnscrypt.ca is using Port 453 for DoH (instead of 443)
168.235.81.167
176.56.236.175
176.103.130.131
176.103.130.130
176.103.130.132
176.103.130.134
37.252.185.229
206.189.215.75
104.24.120.142
104.24.121.142
108.61.201.119
139.59.48.222
104.16.249.249
104.16.248.249
199.58.81.218
23.92.29.236
104.28.0.106
104.28.1.106
8.8.4.4
8.8.8.8
185.95.218.42
185.95.218.43
185.222.222.222
185.184.222.222
46.101.66.244
172.64.108.27
172.64.109.27
45.77.124.64
45.32.253.116
104.236.178.232
89.234.186.112
45.90.28.0
45.90.30.0
193.17.47.1
185.43.135.1
136.144.215.158
118.126.68.223
118.89.110.78
47.96.179.163
145.100.185.15
145.100.185.16
174.138.29.175
45.77.180.10
185.216.27.142
217.169.20.23
217.169.20.22
172.65.3.223
188.60.252.16
# *.quad9.net
149.112.112.112
9.9.9.9
149.112.112.9
9.9.9.10
149.112.112.10
9.9.9.11
149.112.112.11
9.9.9.12
149.112.112.12
9.9.9.13
149.112.112.13
# *.passcloud.xyz
43.132.150.250
103.254.108.74
# dns.oszx.co
51.38.83.141
# dns.pumplex.com
51.38.82.198
# arvind.io
206.189.142.179
# dns.brahma.world
94.237.80.211
# *.cleanbrowsing.org
185.228.168.9
185.228.169.9
185.228.168.10
185.228.169.11
185.228.168.168
185.228.169.168
# commons.host
139.162.131.245
# dns2.developer.li
51.89.22.36
# dns.developer.li
164.132.45.112
# doh.dns.sb
172.64.105.36
172.64.104.36
# doh.ffmuc.net
195.30.94.28
# geekdns / 233py.com
125.77.154.35
104.27.164.27
104.27.165.27
### 233py's that need to checked
47.101.136.37
114.115.240.175
119.29.107.85
118.24.208.197
# public.dns.iij.jp
103.2.57.5
103.2.57.6
# *.tiar.app
174.138.21.128
172.104.93.80
# doh.libredns.org
146.148.56.78
# doh.netweaver.uk
185.157.233.92
# dns.twnic.tw
210.17.9.228
# doh.xfinity.com / doh.gslb2.xfinity.com (Comcast)
96.113.151.141
96.113.151.142
96.113.151.143
96.113.151.147
96.113.151.148
96.113.151.149
96.113.151.150
# dnscrypt.ca (Port 453!)
167.114.220.125
149.56.228.45
# *.ahadns.com
5.2.75.75
45.79.120.233
45.67.219.208
185.213.26.187
45.132.75.16
45.91.95.12
45.132.74.167
185.175.56.133
193.29.62.196
103.73.64.132
# dns.t53.de (Telekom DE DoH-Testserver)
80.156.145.201
# snopyta.org
95.216.229.153
# alekberg.net
51.15.124.208
104.168.247.138
45.153.187.96
# *.dnslify.com
185.235.81.1
185.235.81.2
185.235.81.3
185.235.81.4
185.235.81.5
185.235.81.6
# opendns.com (Cisco) (Production - Familyshield - Sandbox)
146.112.41.2
146.112.41.3
146.112.41.4
208.67.222.222
208.67.220.220
208.67.222.123
208.67.220.123
208.67.220.2
208.67.222.2
# dnswarden.com
88.198.161.8
116.203.35.255
116.203.70.156
# dohdot.coxlab.net
174.68.248.77
# dns.hostux.net
185.26.126.37
#jcdns.fun
178.62.214.105
# doh.blockerdns.com
35.231.247.227
# doh.libredns.gr
116.203.115.192
# doh.defaultroutes.de
5.45.107.88
# dns.flatuslifir.is
46.239.223.80
# resolver-eu.lelux.fi
51.158.147.50
# *.applied-privacy.net
93.177.65.183
146.255.56.98
# dnsforge.de
176.9.93.198
176.9.1.117
# dohtrial.att.net
13.89.120.251
40.76.112.230
# rumpelsepp.org
116.203.179.248
# dns.nixnet.xyz
198.251.90.114
198.251.90.89
209.141.34.95
199.195.251.84
104.244.78.231
# security.cloudflare-dns.com
104.18.2.55
104.18.3.55
# family.cloudflare-dns.com
104.18.26.128
104.18.27.128
# canadianshield.cira.ca
149.112.121.10
149.112.122.10
149.112.121.20
149.112.122.20
149.112.121.30
149.112.122.30
# ordns.he.net
74.82.42.42
# dns.alidns.com
223.5.5.5
223.6.6.6
# dns.switch.ch
130.59.31.251
130.59.31.248
# *.blahdns.com
45.90.57.121
95.216.212.177
78.46.244.143
139.162.112.47
192.53.175.149
# dnsbycomodo.com
8.26.56.26
8.20.247.20
# dns.mrkaran.dev
139.59.55.13
# dns.dns-over-https.com
104.24.122.53
104.24.123.53
# jarjar.meganerd.nl
209.250.241.25
# adfree.usableprivacy.net
149.154.153.153
# dns.dnshome.de
185.233.106.232
185.233.107.4
# doh.abmb.win / doh2.abmb.win
3.0.59.48
54.169.103.244
172.67.153.154
104.28.13.215
104.28.12.215
# dns.decloudus.com
176.9.199.158
# rdns.faelix.net
46.227.200.54
46.227.200.55
185.134.196.54
185.134.197.54
# pdns.faelix.net
46.227.200.52
46.227.203.52
185.134.196.52
# *.dismail.de
80.241.218.68
159.69.114.157
# *.censurfridns.dk
91.239.100.100
130.225.244.166
130.226.161.34
185.38.24.52
198.180.150.12
89.233.43.71
# *.seby.io
45.76.113.31
139.99.222.72
# nextdns - 28
45.90.28.1
45.90.28.2
45.90.28.3
45.90.28.4
45.90.28.5
45.90.28.6
45.90.28.7
45.90.28.8
45.90.28.9
45.90.28.10
45.90.28.11
45.90.28.12
45.90.28.13
45.90.28.14
45.90.28.15
45.90.28.16
45.90.28.17
45.90.28.18
45.90.28.19
45.90.28.20
45.90.28.21
45.90.28.22
45.90.28.23
45.90.28.24
45.90.28.25
45.90.28.26
45.90.28.27
45.90.28.28
45.90.28.29
45.90.28.30
45.90.28.31
45.90.28.32
45.90.28.33
45.90.28.34
45.90.28.35
45.90.28.36
45.90.28.37
45.90.28.38
45.90.28.39
45.90.28.40
45.90.28.41
45.90.28.42
45.90.28.43
45.90.28.44
45.90.28.45
45.90.28.46
45.90.28.47
45.90.28.48
45.90.28.49
45.90.28.50
45.90.28.51
45.90.28.52
45.90.28.53
45.90.28.54
45.90.28.55
45.90.28.56
45.90.28.57
45.90.28.58
45.90.28.59
45.90.28.60
45.90.28.61
45.90.28.62
45.90.28.63
45.90.28.64
45.90.28.65
45.90.28.66
45.90.28.67
45.90.28.68
45.90.28.69
45.90.28.70
45.90.28.71
45.90.28.72
45.90.28.73
45.90.28.74
45.90.28.75
45.90.28.76
45.90.28.77
45.90.28.78
45.90.28.79
45.90.28.80
45.90.28.81
45.90.28.82
45.90.28.83
45.90.28.84
45.90.28.85
45.90.28.86
45.90.28.87
45.90.28.88
45.90.28.89
45.90.28.90
45.90.28.91
45.90.28.92
45.90.28.93
45.90.28.94
45.90.28.95
45.90.28.96
45.90.28.97
45.90.28.98
45.90.28.99
45.90.28.100
45.90.28.101
45.90.28.102
45.90.28.103
45.90.28.104
45.90.28.105
45.90.28.106
45.90.28.107
45.90.28.108
45.90.28.109
45.90.28.110
45.90.28.111
45.90.28.112
45.90.28.113
45.90.28.114
45.90.28.115
45.90.28.116
45.90.28.117
45.90.28.118
45.90.28.119
45.90.28.120
45.90.28.121
45.90.28.122
45.90.28.123
45.90.28.124
45.90.28.125
45.90.28.126
45.90.28.127
45.90.28.128
45.90.28.129
45.90.28.130
45.90.28.131
45.90.28.132
45.90.28.133
45.90.28.134
45.90.28.135
45.90.28.136
45.90.28.137
45.90.28.138
45.90.28.139
45.90.28.140
45.90.28.141
45.90.28.142
45.90.28.143
45.90.28.144
45.90.28.145
45.90.28.146
45.90.28.147
45.90.28.148
45.90.28.149
45.90.28.150
45.90.28.151
45.90.28.152
45.90.28.153
45.90.28.154
45.90.28.155
45.90.28.156
45.90.28.157
45.90.28.158
45.90.28.159
45.90.28.160
45.90.28.161
45.90.28.162
45.90.28.163
45.90.28.164
45.90.28.165
45.90.28.166
45.90.28.167
45.90.28.168
45.90.28.169
45.90.28.170
45.90.28.171
45.90.28.172
45.90.28.173
45.90.28.174
45.90.28.175
45.90.28.176
45.90.28.177
45.90.28.178
45.90.28.179
45.90.28.180
45.90.28.181
45.90.28.182
45.90.28.183
45.90.28.184
45.90.28.185
45.90.28.186
45.90.28.187
45.90.28.188
45.90.28.189
45.90.28.190
45.90.28.191
45.90.28.192
45.90.28.193
45.90.28.194
45.90.28.195
45.90.28.196
45.90.28.197
45.90.28.198
45.90.28.199
45.90.28.200
45.90.28.201
45.90.28.202
45.90.28.203
45.90.28.204
45.90.28.205
45.90.28.206
45.90.28.207
45.90.28.208
45.90.28.209
45.90.28.210
45.90.28.211
45.90.28.212
45.90.28.213
45.90.28.214
45.90.28.215
45.90.28.216
45.90.28.217
45.90.28.218
45.90.28.219
45.90.28.220
45.90.28.221
45.90.28.222
45.90.28.223
45.90.28.224
45.90.28.225
45.90.28.226
45.90.28.227
45.90.28.228
45.90.28.229
45.90.28.230
45.90.28.231
45.90.28.232
45.90.28.233
45.90.28.234
45.90.28.235
45.90.28.236
45.90.28.237
45.90.28.238
45.90.28.239
45.90.28.240
45.90.28.241
45.90.28.242
45.90.28.243
45.90.28.244
45.90.28.245
45.90.28.246
45.90.28.247
45.90.28.248
45.90.28.249
45.90.28.250
45.90.28.251
45.90.28.252
45.90.28.253
45.90.28.254
# nextdns - 30
45.90.30.1
45.90.30.2
45.90.30.3
45.90.30.4
45.90.30.5
45.90.30.6
45.90.30.7
45.90.30.8
45.90.30.9
45.90.30.10
45.90.30.11
45.90.30.12
45.90.30.13
45.90.30.14
45.90.30.15
45.90.30.16
45.90.30.17
45.90.30.18
45.90.30.19
45.90.30.20
45.90.30.21
45.90.30.22
45.90.30.23
45.90.30.24
45.90.30.25
45.90.30.26
45.90.30.27
45.90.30.28
45.90.30.29
45.90.30.30
45.90.30.31
45.90.30.32
45.90.30.33
45.90.30.34
45.90.30.35
45.90.30.36
45.90.30.37
45.90.30.38
45.90.30.39
45.90.30.40
45.90.30.41
45.90.30.42
45.90.30.43
45.90.30.44
45.90.30.45
45.90.30.46
45.90.30.47
45.90.30.48
45.90.30.49
45.90.30.50
45.90.30.51
45.90.30.52
45.90.30.53
45.90.30.54
45.90.30.55
45.90.30.56
45.90.30.57
45.90.30.58
45.90.30.59
45.90.30.60
45.90.30.61
45.90.30.62
45.90.30.63
45.90.30.64
45.90.30.65
45.90.30.66
45.90.30.67
45.90.30.68
45.90.30.69
45.90.30.70
45.90.30.71
45.90.30.72
45.90.30.73
45.90.30.74
45.90.30.75
45.90.30.76
45.90.30.77
45.90.30.78
45.90.30.79
45.90.30.80
45.90.30.81
45.90.30.82
45.90.30.83
45.90.30.84
45.90.30.85
45.90.30.86
45.90.30.87
45.90.30.88
45.90.30.89
45.90.30.90
45.90.30.91
45.90.30.92
45.90.30.93
45.90.30.94
45.90.30.95
45.90.30.96
45.90.30.97
45.90.30.98
45.90.30.99
45.90.30.100
45.90.30.101
45.90.30.102
45.90.30.103
45.90.30.104
45.90.30.105
45.90.30.106
45.90.30.107
45.90.30.108
45.90.30.109
45.90.30.110
45.90.30.111
45.90.30.112
45.90.30.113
45.90.30.114
45.90.30.115
45.90.30.116
45.90.30.117
45.90.30.118
45.90.30.119
45.90.30.120
45.90.30.121
45.90.30.122
45.90.30.123
45.90.30.124
45.90.30.125
45.90.30.126
45.90.30.127
45.90.30.128
45.90.30.129
45.90.30.130
45.90.30.131
45.90.30.132
45.90.30.133
45.90.30.134
45.90.30.135
45.90.30.136
45.90.30.137
45.90.30.138
45.90.30.139
45.90.30.140
45.90.30.141
45.90.30.142
45.90.30.143
45.90.30.144
45.90.30.145
45.90.30.146
45.90.30.147
45.90.30.148
45.90.30.149
45.90.30.150
45.90.30.151
45.90.30.152
45.90.30.153
45.90.30.154
45.90.30.155
45.90.30.156
45.90.30.157
45.90.30.158
45.90.30.159
45.90.30.160
45.90.30.161
45.90.30.162
45.90.30.163
45.90.30.164
45.90.30.165
45.90.30.166
45.90.30.167
45.90.30.168
45.90.30.169
45.90.30.170
45.90.30.171
45.90.30.172
45.90.30.173
45.90.30.174
45.90.30.175
45.90.30.176
45.90.30.177
45.90.30.178
45.90.30.179
45.90.30.180
45.90.30.181
45.90.30.182
45.90.30.183
45.90.30.184
45.90.30.185
45.90.30.186
45.90.30.187
45.90.30.188
45.90.30.189
45.90.30.190
45.90.30.191
45.90.30.192
45.90.30.193
45.90.30.194
45.90.30.195
45.90.30.196
45.90.30.197
45.90.30.198
45.90.30.199
45.90.30.200
45.90.30.201
45.90.30.202
45.90.30.203
45.90.30.204
45.90.30.205
45.90.30.206
45.90.30.207
45.90.30.208
45.90.30.209
45.90.30.210
45.90.30.211
45.90.30.212
45.90.30.213
45.90.30.214
45.90.30.215
45.90.30.216
45.90.30.217
45.90.30.218
45.90.30.219
45.90.30.220
45.90.30.221
45.90.30.222
45.90.30.223
45.90.30.224
45.90.30.225
45.90.30.226
45.90.30.227
45.90.30.228
45.90.30.229
45.90.30.230
45.90.30.231
45.90.30.232
45.90.30.233
45.90.30.234
45.90.30.235
45.90.30.236
45.90.30.237
45.90.30.238
45.90.30.239
45.90.30.240
45.90.30.241
45.90.30.242
45.90.30.243
45.90.30.244
45.90.30.245
45.90.30.246
45.90.30.247
45.90.30.248
45.90.30.249
45.90.30.250
45.90.30.251
45.90.30.252
45.90.30.253
45.90.30.254
These should basically help you but DONT block your own…
With some scripting you can turn the top one into a series of URLs to blacklist in pihole and the bottom one into some firewall rules for your firewall. Good luck. Sorry for my shortness last night I was drunk
Also blocking 5053 8053 8084 8088 8043 would all be ways to stop DoH resolvers
Building on the prior information
You have a phonebook you just need to know how to use it. Ill expand on this more in a sec
dig -6 -X +nocmd <URL> any +noall +answer the IPs I gave you (recursively) if you have IPv6 to get all the URLs for each of those potential IPs so you may also block them in pihole
Pretty sure thats rDNS lookup syntax
I actually automate dig a bit
~ cat ~/.digrc INT at 12:48:24
@<MY-DNS-DOMAIN> +all +authority +question +qr +recurse +multiline +answer +nocmd +dnssec +adflag +showsearch +nsid
~
Understanding what you are doing here
@bedHedd @SgtAwesomesauce this is what your reverse lookup should look like post automation and setting your preferred server in the RC
~ dig -x 1.0.0.1 1 err at 12:54:28
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10800
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: c6ef49c3f0d9b308
;; QUESTION SECTION:
;1.0.0.1.in-addr.arpa. IN PTR
;; QUERY SIZE: 65
;; Truncated, retrying in TCP mode.
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21219
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: c6ef49c3f0d9b308
;; QUESTION SECTION:
;1.0.0.1.in-addr.arpa. IN PTR
;; QUERY SIZE: 65
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21219
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;1.0.0.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.1.in-addr.arpa. 1800 IN PTR one.one.one.one.
;; Query time: 58 msec
;; SERVER: 2600:3c01::f03c:93ff:feb9:151b#53(2600:3c01::f03c:93ff:feb9:151b)
;; WHEN: Sat Sep 10 12:54:42 MDT 2022
;; MSG SIZE rcvd: 78
~
It will give you a PTR record which will reveal any URL they havent published that they maybe using with a DoH ressolver 
including a potential oDoH record
If they dont want you to get in. They should build it better right 
Youll notice my server forces recursion over TCP. This prevents some of the amplification attacks people like to throw at me. Combined with fail2ban ive pretty much BTFOd the DNS bots. A thing to note is this does place my server in violation of DNS RFC
https://www.rfc-editor.org/rfc/rfc1123#section-6.1.3.2
https://www.rfc-editor.org/rfc/rfc1123#page-75
Either page 75 or section will jump you to the spot
Problem with RFC is it always has a gap with reality, In a lot of ways this RFC is eating glue in the corner. Something to note when you setup a public resolver
Lets breakdown what your looking at in the answer though
;; ANSWER SECTION:
1.0.0.1.in-addr.arpa. 1800 IN PTR one.one.one.one.
you will always see (IP in reverse order).in-addr.arpa
dig -x 8.8.4.4 ok at 12:54:42
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22402
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: b3f9d7a95cab1d08
;; QUESTION SECTION:
;4.4.8.8.in-addr.arpa. IN PTR
;; QUERY SIZE: 65
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;4.4.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.4.8.8.in-addr.arpa. 86400 IN PTR dns.google.
;; Query time: 81 msec
;; SERVER: 2600:3c01::f03c:93ff:feb9:151b#53(2600:3c01::f03c:93ff:feb9:151b)
;; WHEN: Sat Sep 10 13:02:45 MDT 2022
;; MSG SIZE rcvd: 73
This will happen with 6 as well let me show you
dig -x 2001:4860:4860::8844 INT at 13:03:02
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51403
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: 540f62e50c56cf51
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR
;; QUERY SIZE: 117
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51403
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: 540f62e50c56cf51
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR
;; QUERY SIZE: 117
;; Truncated, retrying in TCP mode.
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43522
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: 540f62e50c56cf51
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR
;; QUERY SIZE: 117
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. 86399 IN PTR dns.google.
;; Query time: 52 msec
;; SERVER: 2600:3c01::f03c:93ff:feb9:151b#53(2600:3c01::f03c:93ff:feb9:151b)
;; WHEN: Sat Sep 10 13:03:24 MDT 2022
;; MSG SIZE rcvd: 125
~
Inverse queries take the form of a single resource record (RR) in the answer section of the message, with an empty question section. The owner name of the query RR and its time to live (TTL) are not significant. The response carries questions in the question section which identify all names possessing the query RR which the name server knows. Since no name server knows about all of the domain namespace, the response can never be assumed to be complete. Thus inverse queries are primarily useful for database management and debugging activities. Inverse queries are not an acceptable method of mapping host addresses to host names; use the in-addr.arpa domain instead. So if you see inverse RR error or NULL PTR you know there isnt a proper record for reverse lookup and safely say nobody is going to have URL pointed to that IP
Now with the foundations seen and learnt you should be able to automate dig in the RC and write a script that can check all of the IPs you want to protect against for URLs and parse them into a pihole format blacklist txt file from the ANSWER section
Happy hunting
1 Like
Updated Unbound Configuration – Recursive
## Unbound Configuration for Recursive Resolve
# Version: Red Hat 9
# Subversion: 005
# SERVER BLOCK
server:
# Initial Configuration and Ports
logfile: "/var/log/unbound/unbound.log" # Define log location
username: "unbound"
directory: "/etc/unbound"
log-time-ascii: yes
pidfile: "/var/run/unbound/unbound.pid"
#verbosity: 3
interface: 0.0.0.0
interface: ::0 # Define if you want to answer IPv6 requests
access-control: 172.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.0.0.0/8 allow
access-control: 2001:DB8::/64 allow
port: 19235
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
interface-automatic: no
outgoing-port-permit: 32768-60999
outgoing-port-avoid: 0-32767
outgoing-port-avoid: 61000-65535
include: /etc/unbound/local.d/*.conf
tls-ciphers: "PROFILE=SYSTEM"
ip-transparent: yes
edns-tcp-keepalive: yes
chroot: ""
# IP4/6 TCP/UDP Configuration
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: yes # Enable but not prefer if 6 is a capability on the network (i.e 6in4)
prefer-ip6: yes # Only enable if on NATIVE IPV6 Stack
so-reuseport: yes
max-udp-size: 3072
udp-upstream-without-downstream: yes
# Root Hints
root-hints: "/etc/unbound/root.hints" # Top level root servers file
# Hardened Resolution
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
target-fetch-policy: "0 0 0 0 0" # Emulate Bind 9
harden-algo-downgrade: no
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
use-caps-for-id: no # Set no if you plan to use DNSSEC
edns-buffer-size: 1232 # Set MTU of network
hide-identity: yes
hide-version: yes
qname-minimisation: yes
aggressive-nsec: yes
unwanted-reply-threshold: 10000000
deny-any: no
rrset-roundrobin: yes
minimal-responses: yes
module-config: "validator iterator"
root-key-sentinel: yes
val-clean-additional: yes
val-permissive-mode: no
val-log-level: 2
trust-anchor-signaling: yes
prefetch-key: yes
# Optimizations
prefetch: yes
cache-min-ttl: 0
serve-expired: yes
serve-expired-ttl: 14400
so-reuseport: yes
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
outgoing-range: 4096
msg-cache-size: 256m
rrset-cache-size: 512m
num-threads: 4
so-rcvbuf: 8m
so-sndbuf: 8m
# Other parameters
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Remote Control
remote-control:
control-enable: yes
control-use-cert: "no"
# unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
control-cert-file: "/etc/unbound/unbound_control.pem"
1 Like
Additional Pi-Hole Configurations
SystemD Gravity Updater:
Timer File
$ cat /etc/systemd/system/gravity.timer
# Pihole Gravity Updater
# Timer File
[Unit]
Description=Executes update of pihole gravity database
Requires=gravity.service
[Timer]
Unit=gravity.service
OnCalendar=*-*-* 0:30:00
Persistent=true
[Install]
WantedBy=timers.target
Service File
$ cat /etc/systemd/system/gravity.service
# Pihole Gravity Updater
# Service File
[Unit]
Description=Executes update of pihole gravity database
Wants=gravity.timer
[Service]
Type=simple
user=(your username if added to docker group)
group=docker
ExecStart=docker exec -it pihole pihole -g
[Install]
WantedBy=multi-user.target
This forces payload truncation on any large replies that are exploited for amplification attacks
~ cat /etc/dnsmasq.d/99-edns.conf
edns-packet-max=1232
My pihole FTL configuration
root@pi:/# cat /etc/pihole/pihole-FTL.conf
REPLY_ADDR4=0.0.0.0
REPLY_ADDR6=::/0
RATE_LIMIT=1000000/10
BLOCKINGMODE=NULL
CNAME_DEEP_INSPECT=true
BLOCK_ESNI=true
EDNS0_ECS=true
REPLY_WHEN_BUSY=DROP
MOZILLA_CANARY=true
BLOCK_ICLOUD_PR=true
MAXLOGAGE=24.0
PRIVACYLEVEL=0
AAAA_QUERY_ANALYSIS=yes
ANALYZE_ONLY_A_AND_AAAA=false
SHOW_DNSSEC=true
RESOLVE_IPV6=yes
RESOLVE_IPV4=yes
REFRESH_HOSTNAMES=ALL
PARSE_ARP_CACHE=true
MAXDBDAYS=7
DBINTERVAL=1.0
LOCAL_IPV4=0.0.0.0
root@pi:/#
My setup vars
root@pi:/# cat /etc/pihole/setupVars.conf
INSTALL_WEB_INTERFACE=true
WEBPASSWORD=LOL NO
PIHOLE_INTERFACE=eth0
QUERY_LOGGING=true
BLOCKING_ENABLED=true
DNSMASQ_LISTENING=all
DNS_FQDN_REQUIRED=false
DNS_BOGUS_PRIV=false
DNSSEC=true
REV_SERVER=false
PIHOLE_DNS_1=10.31.85.1#19235
root@pi:/#
You can customize this file with its delimiters to give yourself custom DNS servers. I dont because I only have local
These get reset on every pihole update. The devs of pihole are assholes about this and refuse to change this. They are pretty stuck in their own echo chamber. So make a service that overwrites this file every time its changed. You can use a systemD trigger for this. Here is the base configuration.
root@pi:/# cat /etc/pihole/dns-servers.conf
Google (ECS, DNSSEC);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
Level3;4.2.2.1;4.2.2.2;;
Comodo;8.26.56.26;8.20.247.20;;
DNS.WATCH (DNSSEC);84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
Quad9 (filtered, ECS, DNSSEC);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11
Cloudflare (DNSSEC);1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001
root@pi:/#
Teleporter file
Please rename the extension back to a gunzip tarball. I couldnt upload it otherwise then upload to pihole
pihole-conf-unix_epoch-1662823550.tar.gz.txt (105.3 KB)
Gravity output dump
pihole -g
[i] Neutrino emissions detected...
[✓] Pulling blocklist source list into range
[✓] Preparing new gravity database
[i] Using libz compression
[i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
[✓] Status: Retrieval successful
[i] Analyzed 138289 domains
[i] List stayed unchanged
[i] Target: https://block.energized.pro/basic/formats/domains.txt
[✓] Status: Retrieval successful
[i] Analyzed 378748 domains
[i] List has been updated
[i] Target: https://raw.githubusercontent.com/badmojr/1Hosts/master/Lite/domains.txt
[✓] Status: Retrieval successful
[i] Analyzed 101793 domains
[i] List has been updated
[i] Target: https://block.energized.pro/ultimate/formats/domains.txt
[✓] Status: Retrieval successful
[i] Analyzed 524784 domains
[i] List has been updated
[i] Target: https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/BreakingTheNews.txt
[✓] Status: Retrieval successful
[i] Analyzed 1 domains
[i] List stayed unchanged
[i] Target: https://raw.githubusercontent.com/ligyxy/Blocklist/master/BLOCKLIST
[✓] Status: Retrieval successful
[i] Analyzed 70545 domains
[i] List stayed unchanged
[i] Target: https://dbl.oisd.nl
[✓] Status: Retrieval successful
[i] Analyzed 1008644 domains
[i] List has been updated
[i] Target: https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt
[✓] Status: Retrieval successful
[i] Analyzed 1008644 domains
[i] List has been updated
[i] Target: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/multi.txt
[✓] Status: Retrieval successful
[i] Analyzed 845446 domains
[i] List has been updated
[i] Target: https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Fanboy-Annoyances-List.txt
[✓] Status: Retrieval successful
[i] Analyzed 74 domains
[i] List stayed unchanged
[i] Target: https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/CombinedBlacklists/CombinedBlackLists.txt
[✓] Status: Retrieval successful
[i] Analyzed 2077732 domains
[i] List stayed unchanged
[i] Target: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
[✓] Status: No changes detected
[i] Analyzed 426786 domains
[i] Target: https://www.github.developerdan.com/hosts/lists/hate-and-junk-extended.txt
[✓] Status: No changes detected
[i] Analyzed 1806 domains
[i] Target: https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
[✓] Status: Retrieval successful
[i] Analyzed 60837 domains
[i] List has been updated
[i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
[✓] Status: Retrieval successful
[i] Analyzed 57 domains
[i] List stayed unchanged
[i] Target: https://v.firebog.net/hosts/static/w3kbl.txt
[✓] Status: No changes detected
[i] Analyzed 356 domains
[i] Target: https://adaway.org/hosts.txt
[✓] Status: No changes detected
[i] Analyzed 7189 domains
[i] Target: https://v.firebog.net/hosts/AdguardDNS.txt
[✓] Status: No changes detected
[i] Analyzed 47637 domains
[i] Target: https://v.firebog.net/hosts/Admiral.txt
[✓] Status: No changes detected
[i] Analyzed 637 domains
[i] Target: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
[✓] Status: Retrieval successful
[i] Analyzed 42553 domains
[i] List stayed unchanged
[i] Target: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
[✓] Status: No changes detected
[i] Analyzed 2701 domains
[i] Target: https://v.firebog.net/hosts/Easylist.txt
[✓] Status: No changes detected
[i] Analyzed 21325 domains
[i] Target: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&amp;amp;showintro=0&amp;amp;mimetype=plaintext
[✓] Status: No changes detected
[i] Analyzed 3673 domains
[i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
[✓] Status: Retrieval successful
[i] Analyzed 9 domains
[i] List stayed unchanged
[i] Target: https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts
[✓] Status: Retrieval successful
[i] Analyzed 17411 domains
[i] List stayed unchanged
[i] Target: https://v.firebog.net/hosts/Easyprivacy.txt
[✓] Status: No changes detected
[i] Analyzed 12938 domains
[i] Target: https://v.firebog.net/hosts/Prigent-Ads.txt
[✓] Status: No changes detected
[i] Analyzed 3749 domains
[i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
[✓] Status: Retrieval successful
[i] Analyzed 1286 domains
[i] List stayed unchanged
[i] Target: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
[✓] Status: Retrieval successful
[i] Analyzed 347 domains
[i] List stayed unchanged
[i] Target: https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
[✓] Status: No changes detected
[i] Analyzed 13992 domains
[i] Target: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
[✓] Status: Retrieval successful
[i] Analyzed 8344 domains
[i] List stayed unchanged
[i] Target: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
[✓] Status: No changes detected
[i] Analyzed 63 domains
[i] Target: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
[✓] Status: No changes detected
[i] Analyzed 2735 domains
[i] Target: https://v.firebog.net/hosts/Prigent-Crypto.txt
[✓] Status: No changes detected
[i] Analyzed 14339 domains
[i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
[✓] Status: Retrieval successful
[i] Analyzed 2189 domains
[i] List stayed unchanged
[i] Target: https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
[✓] Status: No changes detected
[i] Analyzed 2046 domains
[i] Target: https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
[✓] Status: Retrieval successful
[i] Analyzed 8147 domains
[i] List stayed unchanged
[i] Target: https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/generated/hosts
[✓] Status: Retrieval successful
[i] Analyzed 831 domains
[i] List stayed unchanged
[i] Target: https://urlhaus.abuse.ch/downloads/hostfile/
[✓] Status: Retrieval successful
[i] Analyzed 710 domains
[i] List has been updated
[i] Target: https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser
[✓] Status: No changes detected
[i] Analyzed 3496 domains
[✓] Creating new gravity databases
[✓] Storing downloaded domains in new gravity database
[✓] Building tree
[✓] Swapping databases
[✓] The old database remains available.
[i] Number of gravity domains: 6862889 (3698728 unique domains)
[i] Number of exact blacklisted domains: 0
[i] Number of regex blacklist filters: 1
[i] Number of exact whitelisted domains: 5585
[i] Number of regex whitelist filters: 1922
[i] FTL is not running
[✓] Cleaning up stray matter
[✓] FTL is listening on port 53
[✓] UDP (IPv4)
[✓] TCP (IPv4)
[✓] UDP (IPv6)
[✓] TCP (IPv6)
[✓] Pi-hole blocking is enabled
@here this is going to contain my much more sane pihole configuration stuff. It does not have 6 bajillion URLs. I found that to be problematic. I moved back down to 3.5 mil. My whitelists are fairly liberal. YMMV
UPDATE: Now helpful information index is in post 2
2 Likes
Yours is a blacklist, not a whitelist. You allow everything and block undesirable stuff.
Whitelist FTW! Block everything and only allow desirable stuff.
2 Likes
This is true but this is painstaking and annoying. For me my perspective is: (not popular) As you encounter annoyances use the engineering youve created here with PiHole to make it more sane for you. Blocking everything is very difficult to maintain for more than just yourself which is the case for most people. Its a difference of use case if im more to my point
3 Likes
Agreed.
I wouldn’t say that’s unpopular, that’s what most people do, even in big corporations. I think mine’s an unpopular opinion. I mean, it is probably agreed upon, not not followed. So I can’t say either are popular or unpopular.
2 Likes
Well its more about pragmatism and less about being to the letter. Its like RFC. If you see my length post above. Im in violation of it
2 Likes
Man I couldnt get DoT working for the life of me a year ago. But now I have it. Took me like an hour of re configuring everything and i fixed it. Only thing is android and iphone are not working… Desktops and laptops are good to go.
1 Like
ugh id prefer not to… Lounge is simple for diagnosis LOL but you can if you wish
(post deleted by author)
(post deleted by author)
Okay on my end but it took a couple tries. It looks like their NS2 is not responding
It would be useful to use a regex to stop ANY queries
Add the following to the regex blacklist
.*;querytype=ANY
Also blacklisting version.bind TXT queries will help reduce the information the DNS server gives out to the internet. Ive found those requests disturbingly often come from shodan and censys DOT io. I take it one step further and disallow quering cachesize.bind/insertions.bind/evictions.bind from anywhere other than my internal network
Now instead of using the firewall to do it (more intensive) you can just configure pihole to block it and thus it will block most amplification attacks
To all those who want a good phishing list