Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

Just thought I should add the addlist, my firewall and nothing else was to blame for missed calls and stalled text messages… it was strictly poor cell service.
It seems to make a wifi call you still need to ping a verizon satellite signal to be connected for texts and calls.
I had to get into it with verizon so I didnt have to pay 250$ for a device just to use their service. There was a bunch of other shinnanigans with type of service etc… but was kinda crazy.
Its all fixed. So back to including the blocklists etc again to see if anythings effected.
I also got my firewall to pass out a seprate DNS to my wifes machines so she didnt have any issues searching with blocked images or adds. :slight_smile: Ill just keep that part of pihole for me.

1 Like

Updated config:

@here
@HEXiT I know you were interested. remove the extra .txt appendage and this basically can be uploaded. Dont save any of the stuff except the lists when doing so

< URL REDACTED. DM ME >

This is essentially a checkpoint of my latest podman container of it

@FaunCB its got less blocked if it interests you

5 Likes

thanks for all of this :slight_smile:

2 Likes

No problem. It is messy. I do need to fix up the guide. I’m around for questions occasionally

2 Likes

SWEET! So muck work youve done its amazing thank you sir. Ill Nuke my current list and then install this. I think I only had to white list a few things to get certian samsung TVs in the house to work with certian services. I know amazon video needs the time service to even register that it has a internet connection. I will try the list first and try to list what services/devices I had trouble with, what I had to white list and for what model whatever I can add for others to refrence. :slight_smile: I can try and help some :slight_smile:

1 Like

Yeah it was a difficulty I realized. I wasn’t aware of pinholes CNAME blocking that screwed with it.

1 Like

Working on implementing this

1 Like

Basically im nearly there. I prefer to compile it myself and not pull it from cargo. Often there are dependencies that break. You can do it either way

[[email protected] ~]$ doh-proxy --help
doh-proxy 0.9.4
Frank Denis <[email protected]>
A DNS-over-HTTPS (DoH) and ODoH (Oblivious DoH) proxy

USAGE:
    doh-proxy [OPTIONS]

OPTIONS:
    -b, --local-bind-address <local_bind_address>    Address to connect from
    -c, --max-clients <max_clients>                  Maximum number of simultaneous clients [default: 512]
    -C, --max-concurrent <max_concurrent>            Maximum number of concurrent requests per client [default: 16]
    -E, --err-ttl <err_ttl>                          TTL for errors, in seconds [default: 2]
    -g, --public-address <public_address>            External IP address DoH clients will connect to
    -h, --help                                       Print help information
    -H, --hostname <hostname>                        Host name (not IP address) DoH clients will use to connect
    -i, --tls-cert-path <tls_cert_path>              Path to the PEM/PKCS#8-encoded certificates (only required for built-in TLS)
    -I, --tls-cert-key-path <tls_cert_key_path>      Path to the PEM-encoded secret keys (only required for built-in TLS)
    -j, --public-port <public_port>                  External port DoH clients will connect to, if not 443
    -K, --disable-keepalive                          Disable keepalive
    -l, --listen-address <listen_address>            Address to listen to [default: 127.0.0.1:3000]
    -O, --allow-odoh-post                            Allow POST queries over ODoH even if they have been disabed for DoH
    -p, --path <path>                                URI path [default: /dns-query]
    -P, --disable-post                               Disable POST queries
    -t, --timeout <timeout>                          Timeout, in seconds [default: 10]
    -T, --min-ttl <min_ttl>                          Minimum TTL, in seconds [default: 10]
    -u, --server-address <server_address>            Address to connect to [default: 9.9.9.9:53]
    -V, --version                                    Print version information
    -X, --max-ttl <max_ttl>                          Maximum TTL, in seconds [default: 604800]

[[email protected] ~]$ whereis doh-proxy
doh-proxy: /home/root/.rustc/bin/doh-proxy

What I need to do next is make sure it has a systemD process that runs in userspace not root and configure it properly

Quick note for anyone who desires to do the same thing. Remember multi-user.target is not a user target. That is a system target

[email protected] ~]$ systemctl --user list-units --type=target
  UNIT           LOAD   ACTIVE SUB    DESCRIPTION     
  basic.target   loaded active active Basic System
  default.target loaded active active Main User Target
  paths.target   loaded active active Paths
  sockets.target loaded active active Sockets
  timers.target  loaded active active Timers

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
5 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[[email protected] ~]$ 

Its worth noting that you also SHOULD not just store it in /etc/systemd/user. You should store it in ~/.config/systemd/user/ and ln -S it to /etc/systemd/user so you can modify it without root privs

1 Like

BOOM BABY

[[email protected] nginx]$ curl --doh-url https://<mydnsURL>/dns-query icanhazip.com
192.81.134.12
[[email protected] nginx]$ 


1 Like

I moved to stability. Never again

A question was posited in the lounge as to how to block certain service from phoning home by @bedHedd and @SgtAwesomesauce

Lets get into it

Okay use the no google dns list here. Also if you need to and you have your own pihole and dont want any other DNS services use (may cause breakage). Here is a list of all the doh resolvers to block. You can then block DoT port 853 and 8053 in your firewall to prevent it from being used by the app to bypass your dns blockage

# Aaflalo
0.0.0.0 dns.aaflalo.me
0.0.0.0 dns-nyc.aaflalo.me

# AdGuard
0.0.0.0 dns.adguard.com
0.0.0.0 dns-family.adguard.com

# Alekberg
0.0.0.0 dns.alekberg.net
0.0.0.0 dns2.alekberg.net
0.0.0.0 dnsse.alekberg.net

# AliDNS
0.0.0.0 dns.alidns.com

# Andrews & Arnold
0.0.0.0 dns.aa.net.uk

# Association 42l
0.0.0.0 doh.42l.fr

# AT&T
0.0.0.0 dohtrial.att.net

# BlahDNS
0.0.0.0 doh-fi.blahdns.com
0.0.0.0 doh-jp.blahdns.com
0.0.0.0 doh-de.blahdns.com
0.0.0.0 doh-sg.blahdns.com

# Brahma World
0.0.0.0 dns.brahma.world

# Canadian Shield
0.0.0.0 private.canadianshield.cira.ca
0.0.0.0 protected.canadianshield.cira.ca
0.0.0.0 family.canadianshield.cira.ca

# Captnemo
0.0.0.0 doh.captnemo.in

# Cisco
0.0.0.0 doh.opendns.com
0.0.0.0 doh.familyshield.opendns.com

# Clean Browsing
0.0.0.0 family-filter-dns.cleanbrowsing.org
0.0.0.0 adult-filter-dns.cleanbrowsing.org
0.0.0.0 security-filter-dns.cleanbrowsing.org
0.0.0.0 doh.cleanbrowsing.org

# Cloudflare
0.0.0.0 one.one.one.one
0.0.0.0 mozilla.cloudflare-dns.com
0.0.0.0 1dot1dot1dot1.cloudflare-dns.com
0.0.0.0 cloudflare-dns.com
0.0.0.0 dns64.cloudflare-dns.com
0.0.0.0 security.cloudflare-dns.com
0.0.0.0 family.cloudflare-dns.com

# Comcast
0.0.0.0 doh.xfinity.com

# Comodo
0.0.0.0 ns1.recursive.dnsbycomodo.com
0.0.0.0 ns2.recursive.dnsbycomodo.com

# Commons-host
0.0.0.0 commons.host

# ContainerPI
0.0.0.0 dns.containerpi.com

# Cox
0.0.0.0 dohdot.coxlab.net

# Crypto.sx
0.0.0.0 doh.crypto.sx
0.0.0.0 doh-ipv6.crypto.sx

# Digitale Gesellschaft
0.0.0.0 dns.digitale-gesellschaft.ch

# Doh.li
0.0.0.0 doh.li

# DNScrypt (DoH)
0.0.0.0 dns1.dnscrypt.ca
0.0.0.0 dns2.dnscrypt.ca

# DNSforge
0.0.0.0 dnsforge.de

# DNS home
0.0.0.0 dns.dnshome.de

# DNS lify
0.0.0.0 doh.dnslify.com
0.0.0.0 a.ns.dnslify.com
0.0.0.0 b.ns.dnslify.com
0.0.0.0 a.safe.ns.dnslify.com
0.0.0.0 b.safe.ns.dnslify.com
0.0.0.0 a.family.ns.dnslify.com
0.0.0.0 b.family.ns.dnslify.com

# DNS Seby
0.0.0.0 doh.seby.io
0.0.0.0 doh-2.seby.io

# DNS.SB
0.0.0.0 doh.dns.sb

# Dyn
0.0.0.0 resolver1.dyndnsinternetguide.com
0.0.0.0 resolver2.dyndnsinternetguide.com

# FFmuc
0.0.0.0 doh.ffmuc.net

# Foundation for Applied Privacy
0.0.0.0 doh.applied-privacy.net

# GeekDNS
0.0.0.0 dns.233py.com
0.0.0.0 i.233py.com
0.0.0.0 wdns.233py.com
0.0.0.0 ndns.233py.com
0.0.0.0 sdns.233py.com

# Google
0.0.0.0 dns.google
0.0.0.0 google-public-dns-a.google.com
0.0.0.0 google-public-dns-b.google.com
0.0.0.0 dns64.dns.google

# Hostux
0.0.0.0 dns.hostux.net

# Ibuki
0.0.0.0 ibuki.cgnat.net

# Ibksturm
0.0.0.0 ibksturm.synology.me

# Jcdns
0.0.0.0 jcdns.fun

# Lelux
0.0.0.0 resolver-eu.lelux.fi

# LibreDNS
0.0.0.0 doh.libredns.gr

# Mrkaran
0.0.0.0 dns.mrkaran.dev

# NekomimiRouter
0.0.0.0 dns.dns-over-https.com

# NextDNS
0.0.0.0 dns.nextdns.io

# NixNet
0.0.0.0 uncensored.any.dns.nixnet.xyz
0.0.0.0 adblock.any.dns.nixnet.xyz
0.0.0.0 uncensored.lv1.dns.nixnet.xyz
0.0.0.0 adblock.lv1.dns.nixnet.xyz
0.0.0.0 uncensored.ny1.dns.nixnet.xyz
0.0.0.0 adblock.ny1.dns.nixnet.xyz
0.0.0.0 uncensored.lux1.dns.nixnet.xyz
0.0.0.0 adblock.lux1.dns.nixnet.xyz

# OpenDNS
0.0.0.0 resolver1.opendns.com
0.0.0.0 resolver2.opendns.com
0.0.0.0 resolver1-fs.opendns.com
0.0.0.0 resolver2-fs.opendns.com
0.0.0.0 resolver1.ipv6-sandbox.opendns.com
0.0.0.0 resolver2.ipv6-sandbox.opendns.com

# OSZX (PumpleX)
0.0.0.0 dns.oszx.co
0.0.0.0 dns.pumplex.com

# Pi-DNS
0.0.0.0 doh.centraleu.pi-dns.com
0.0.0.0 doh.northeu.pi-dns.com
0.0.0.0 doh.westus.pi-dns.com
0.0.0.0 doh.eastus.pi-dns.com

# PowerDNS
0.0.0.0 doh.powerdns.org

# Qua9
0.0.0.0 dns.quad9.net
0.0.0.0 dns9.quad9.net
0.0.0.0 dns10.quad9.net
0.0.0.0 dns11.quad9.net
0.0.0.0 rpz-public-resolver1.rrdns.pch.net
0.0.0.0 dns-nosec.quad9.net

# Quad101
0.0.0.0 dns.twnic.tw

# Rubyfish
0.0.0.0 v6.rubyfish.cn
0.0.0.0 dns.rubyfish.cn
0.0.0.0 ea-dns.rubyfish.cn
0.0.0.0 uw-dns.rubyfish.cn

# Secure DNS
0.0.0.0 doh.securedns.eu
0.0.0.0 ads-doh.securedns.eu

# Snopyta
0.0.0.0 fi.doh.dns.snopyta.org

# Switch
0.0.0.0 dns.switch.ch

# Tiarap
0.0.0.0 doh.tiar.app
0.0.0.0 doh.tiarap.org
0.0.0.0 jp.tiar.app
0.0.0.0 jp.tiarap.org

# t53
0.0.0.0 dns.t53.de

# Xfinity (Comcast)
0.0.0.0 doh.xfinity.com

# Others
0.0.0.0 dns.dnsoverhttps.net
0.0.0.0 doh.dnswarden.com
0.0.0.0 doh.appliedprivacy.net
0.0.0.0 public.dns.iij.jp
0.0.0.0 jp.gridns.xyz
0.0.0.0 dns.flatuslifir.is
0.0.0.0 odvr.nic.cz
0.0.0.0 rumpelsepp.org
0.0.0.0 ordns.he.net
0.0.0.0 rdns.faelix.net
0.0.0.0 adfree.usableprivacy.net

Here is also a breakdown of a lot of DNS server IPs to block

# Optionally include Cloudflare's main addresses (Google and Quad9 included below)
# 1.1.1.1
# 1.0.0.1
#
# security.cloudflare-dns.com - see IPs further down this list
# 1.1.1.2
# 1.0.0.2
#
# family.cloudflare-dns.com
# 1.1.1.3
# 1.0.0.3

# dns.cloudflare.com
# (optional because cdnjs.cloudflare.com uses the same IPs)
# 104.16.132.229
# 104.16.133.229

# NOTES
# Quad9 is also using Port 5053 for DoH: (last checked 11 Jan 2020)
# https://www.quad9.net/doh-quad9-dns-servers/#UsingDoHwithQuad9DNSServers-AdditionalInformation
#
# dnscrypt.ca is using Port 453 for DoH (instead of 443)

168.235.81.167
176.56.236.175
176.103.130.131
176.103.130.130
176.103.130.132
176.103.130.134
37.252.185.229
206.189.215.75
104.24.120.142
104.24.121.142
108.61.201.119
139.59.48.222
104.16.249.249
104.16.248.249
199.58.81.218
23.92.29.236
104.28.0.106
104.28.1.106
8.8.4.4
8.8.8.8
185.95.218.42
185.95.218.43
185.222.222.222
185.184.222.222
46.101.66.244
172.64.108.27
172.64.109.27
45.77.124.64
45.32.253.116
104.236.178.232
89.234.186.112
45.90.28.0
45.90.30.0
193.17.47.1
185.43.135.1
136.144.215.158
118.126.68.223
118.89.110.78
47.96.179.163
145.100.185.15
145.100.185.16
174.138.29.175
45.77.180.10
185.216.27.142
217.169.20.23
217.169.20.22
172.65.3.223
188.60.252.16

# *.quad9.net
149.112.112.112
9.9.9.9
149.112.112.9
9.9.9.10
149.112.112.10
9.9.9.11
149.112.112.11
9.9.9.12
149.112.112.12
9.9.9.13
149.112.112.13

# *.passcloud.xyz
43.132.150.250
103.254.108.74

# dns.oszx.co
51.38.83.141

# dns.pumplex.com
51.38.82.198

# arvind.io
206.189.142.179

# dns.brahma.world
94.237.80.211

# *.cleanbrowsing.org
185.228.168.9
185.228.169.9
185.228.168.10
185.228.169.11
185.228.168.168
185.228.169.168

# commons.host
139.162.131.245

# dns2.developer.li
51.89.22.36

# dns.developer.li
164.132.45.112

# doh.dns.sb
172.64.105.36
172.64.104.36

# doh.ffmuc.net
195.30.94.28

# geekdns / 233py.com
125.77.154.35
104.27.164.27
104.27.165.27

### 233py's that need to checked
47.101.136.37
114.115.240.175
119.29.107.85
118.24.208.197

# public.dns.iij.jp
103.2.57.5
103.2.57.6

# *.tiar.app
174.138.21.128
172.104.93.80

# doh.libredns.org
146.148.56.78

# doh.netweaver.uk
185.157.233.92

# dns.twnic.tw
210.17.9.228

# doh.xfinity.com / doh.gslb2.xfinity.com (Comcast)
96.113.151.141
96.113.151.142
96.113.151.143
96.113.151.147
96.113.151.148
96.113.151.149
96.113.151.150

# dnscrypt.ca (Port 453!)
167.114.220.125
149.56.228.45

# *.ahadns.com
5.2.75.75
45.79.120.233
45.67.219.208
185.213.26.187
45.132.75.16
45.91.95.12
45.132.74.167
185.175.56.133
193.29.62.196
103.73.64.132

# dns.t53.de (Telekom DE DoH-Testserver)
80.156.145.201

# snopyta.org
95.216.229.153

# alekberg.net
51.15.124.208
104.168.247.138
45.153.187.96

# *.dnslify.com
185.235.81.1
185.235.81.2
185.235.81.3
185.235.81.4
185.235.81.5
185.235.81.6

# opendns.com (Cisco) (Production - Familyshield - Sandbox)
146.112.41.2
146.112.41.3
146.112.41.4
208.67.222.222
208.67.220.220
208.67.222.123
208.67.220.123
208.67.220.2
208.67.222.2

# dnswarden.com
88.198.161.8
116.203.35.255
116.203.70.156

# dohdot.coxlab.net
174.68.248.77

# dns.hostux.net
185.26.126.37

#jcdns.fun
178.62.214.105

# doh.blockerdns.com
35.231.247.227

# doh.libredns.gr
116.203.115.192

# doh.defaultroutes.de
5.45.107.88

# dns.flatuslifir.is
46.239.223.80

# resolver-eu.lelux.fi
51.158.147.50

# *.applied-privacy.net
93.177.65.183
146.255.56.98

# dnsforge.de
176.9.93.198
176.9.1.117

# dohtrial.att.net
13.89.120.251
40.76.112.230

# rumpelsepp.org
116.203.179.248

# dns.nixnet.xyz
198.251.90.114
198.251.90.89
209.141.34.95
199.195.251.84
104.244.78.231

# security.cloudflare-dns.com
104.18.2.55
104.18.3.55

# family.cloudflare-dns.com
104.18.26.128
104.18.27.128

# canadianshield.cira.ca
149.112.121.10
149.112.122.10
149.112.121.20
149.112.122.20
149.112.121.30
149.112.122.30

# ordns.he.net
74.82.42.42

# dns.alidns.com
223.5.5.5
223.6.6.6

# dns.switch.ch
130.59.31.251
130.59.31.248

# *.blahdns.com
45.90.57.121
95.216.212.177
78.46.244.143
139.162.112.47
192.53.175.149

# dnsbycomodo.com
8.26.56.26
8.20.247.20

# dns.mrkaran.dev
139.59.55.13

# dns.dns-over-https.com
104.24.122.53
104.24.123.53

# jarjar.meganerd.nl
209.250.241.25

# adfree.usableprivacy.net
149.154.153.153

# dns.dnshome.de
185.233.106.232
185.233.107.4

# doh.abmb.win / doh2.abmb.win
3.0.59.48
54.169.103.244
172.67.153.154
104.28.13.215
104.28.12.215

# dns.decloudus.com
176.9.199.158

# rdns.faelix.net
46.227.200.54
46.227.200.55
185.134.196.54
185.134.197.54

# pdns.faelix.net
46.227.200.52
46.227.203.52
185.134.196.52

# *.dismail.de
80.241.218.68
159.69.114.157

# *.censurfridns.dk
91.239.100.100
130.225.244.166
130.226.161.34
185.38.24.52
198.180.150.12
89.233.43.71

# *.seby.io
45.76.113.31
139.99.222.72

# nextdns - 28
45.90.28.1
45.90.28.2
45.90.28.3
45.90.28.4
45.90.28.5
45.90.28.6
45.90.28.7
45.90.28.8
45.90.28.9
45.90.28.10
45.90.28.11
45.90.28.12
45.90.28.13
45.90.28.14
45.90.28.15
45.90.28.16
45.90.28.17
45.90.28.18
45.90.28.19
45.90.28.20
45.90.28.21
45.90.28.22
45.90.28.23
45.90.28.24
45.90.28.25
45.90.28.26
45.90.28.27
45.90.28.28
45.90.28.29
45.90.28.30
45.90.28.31
45.90.28.32
45.90.28.33
45.90.28.34
45.90.28.35
45.90.28.36
45.90.28.37
45.90.28.38
45.90.28.39
45.90.28.40
45.90.28.41
45.90.28.42
45.90.28.43
45.90.28.44
45.90.28.45
45.90.28.46
45.90.28.47
45.90.28.48
45.90.28.49
45.90.28.50
45.90.28.51
45.90.28.52
45.90.28.53
45.90.28.54
45.90.28.55
45.90.28.56
45.90.28.57
45.90.28.58
45.90.28.59
45.90.28.60
45.90.28.61
45.90.28.62
45.90.28.63
45.90.28.64
45.90.28.65
45.90.28.66
45.90.28.67
45.90.28.68
45.90.28.69
45.90.28.70
45.90.28.71
45.90.28.72
45.90.28.73
45.90.28.74
45.90.28.75
45.90.28.76
45.90.28.77
45.90.28.78
45.90.28.79
45.90.28.80
45.90.28.81
45.90.28.82
45.90.28.83
45.90.28.84
45.90.28.85
45.90.28.86
45.90.28.87
45.90.28.88
45.90.28.89
45.90.28.90
45.90.28.91
45.90.28.92
45.90.28.93
45.90.28.94
45.90.28.95
45.90.28.96
45.90.28.97
45.90.28.98
45.90.28.99
45.90.28.100
45.90.28.101
45.90.28.102
45.90.28.103
45.90.28.104
45.90.28.105
45.90.28.106
45.90.28.107
45.90.28.108
45.90.28.109
45.90.28.110
45.90.28.111
45.90.28.112
45.90.28.113
45.90.28.114
45.90.28.115
45.90.28.116
45.90.28.117
45.90.28.118
45.90.28.119
45.90.28.120
45.90.28.121
45.90.28.122
45.90.28.123
45.90.28.124
45.90.28.125
45.90.28.126
45.90.28.127
45.90.28.128
45.90.28.129
45.90.28.130
45.90.28.131
45.90.28.132
45.90.28.133
45.90.28.134
45.90.28.135
45.90.28.136
45.90.28.137
45.90.28.138
45.90.28.139
45.90.28.140
45.90.28.141
45.90.28.142
45.90.28.143
45.90.28.144
45.90.28.145
45.90.28.146
45.90.28.147
45.90.28.148
45.90.28.149
45.90.28.150
45.90.28.151
45.90.28.152
45.90.28.153
45.90.28.154
45.90.28.155
45.90.28.156
45.90.28.157
45.90.28.158
45.90.28.159
45.90.28.160
45.90.28.161
45.90.28.162
45.90.28.163
45.90.28.164
45.90.28.165
45.90.28.166
45.90.28.167
45.90.28.168
45.90.28.169
45.90.28.170
45.90.28.171
45.90.28.172
45.90.28.173
45.90.28.174
45.90.28.175
45.90.28.176
45.90.28.177
45.90.28.178
45.90.28.179
45.90.28.180
45.90.28.181
45.90.28.182
45.90.28.183
45.90.28.184
45.90.28.185
45.90.28.186
45.90.28.187
45.90.28.188
45.90.28.189
45.90.28.190
45.90.28.191
45.90.28.192
45.90.28.193
45.90.28.194
45.90.28.195
45.90.28.196
45.90.28.197
45.90.28.198
45.90.28.199
45.90.28.200
45.90.28.201
45.90.28.202
45.90.28.203
45.90.28.204
45.90.28.205
45.90.28.206
45.90.28.207
45.90.28.208
45.90.28.209
45.90.28.210
45.90.28.211
45.90.28.212
45.90.28.213
45.90.28.214
45.90.28.215
45.90.28.216
45.90.28.217
45.90.28.218
45.90.28.219
45.90.28.220
45.90.28.221
45.90.28.222
45.90.28.223
45.90.28.224
45.90.28.225
45.90.28.226
45.90.28.227
45.90.28.228
45.90.28.229
45.90.28.230
45.90.28.231
45.90.28.232
45.90.28.233
45.90.28.234
45.90.28.235
45.90.28.236
45.90.28.237
45.90.28.238
45.90.28.239
45.90.28.240
45.90.28.241
45.90.28.242
45.90.28.243
45.90.28.244
45.90.28.245
45.90.28.246
45.90.28.247
45.90.28.248
45.90.28.249
45.90.28.250
45.90.28.251
45.90.28.252
45.90.28.253
45.90.28.254

# nextdns - 30
45.90.30.1
45.90.30.2
45.90.30.3
45.90.30.4
45.90.30.5
45.90.30.6
45.90.30.7
45.90.30.8
45.90.30.9
45.90.30.10
45.90.30.11
45.90.30.12
45.90.30.13
45.90.30.14
45.90.30.15
45.90.30.16
45.90.30.17
45.90.30.18
45.90.30.19
45.90.30.20
45.90.30.21
45.90.30.22
45.90.30.23
45.90.30.24
45.90.30.25
45.90.30.26
45.90.30.27
45.90.30.28
45.90.30.29
45.90.30.30
45.90.30.31
45.90.30.32
45.90.30.33
45.90.30.34
45.90.30.35
45.90.30.36
45.90.30.37
45.90.30.38
45.90.30.39
45.90.30.40
45.90.30.41
45.90.30.42
45.90.30.43
45.90.30.44
45.90.30.45
45.90.30.46
45.90.30.47
45.90.30.48
45.90.30.49
45.90.30.50
45.90.30.51
45.90.30.52
45.90.30.53
45.90.30.54
45.90.30.55
45.90.30.56
45.90.30.57
45.90.30.58
45.90.30.59
45.90.30.60
45.90.30.61
45.90.30.62
45.90.30.63
45.90.30.64
45.90.30.65
45.90.30.66
45.90.30.67
45.90.30.68
45.90.30.69
45.90.30.70
45.90.30.71
45.90.30.72
45.90.30.73
45.90.30.74
45.90.30.75
45.90.30.76
45.90.30.77
45.90.30.78
45.90.30.79
45.90.30.80
45.90.30.81
45.90.30.82
45.90.30.83
45.90.30.84
45.90.30.85
45.90.30.86
45.90.30.87
45.90.30.88
45.90.30.89
45.90.30.90
45.90.30.91
45.90.30.92
45.90.30.93
45.90.30.94
45.90.30.95
45.90.30.96
45.90.30.97
45.90.30.98
45.90.30.99
45.90.30.100
45.90.30.101
45.90.30.102
45.90.30.103
45.90.30.104
45.90.30.105
45.90.30.106
45.90.30.107
45.90.30.108
45.90.30.109
45.90.30.110
45.90.30.111
45.90.30.112
45.90.30.113
45.90.30.114
45.90.30.115
45.90.30.116
45.90.30.117
45.90.30.118
45.90.30.119
45.90.30.120
45.90.30.121
45.90.30.122
45.90.30.123
45.90.30.124
45.90.30.125
45.90.30.126
45.90.30.127
45.90.30.128
45.90.30.129
45.90.30.130
45.90.30.131
45.90.30.132
45.90.30.133
45.90.30.134
45.90.30.135
45.90.30.136
45.90.30.137
45.90.30.138
45.90.30.139
45.90.30.140
45.90.30.141
45.90.30.142
45.90.30.143
45.90.30.144
45.90.30.145
45.90.30.146
45.90.30.147
45.90.30.148
45.90.30.149
45.90.30.150
45.90.30.151
45.90.30.152
45.90.30.153
45.90.30.154
45.90.30.155
45.90.30.156
45.90.30.157
45.90.30.158
45.90.30.159
45.90.30.160
45.90.30.161
45.90.30.162
45.90.30.163
45.90.30.164
45.90.30.165
45.90.30.166
45.90.30.167
45.90.30.168
45.90.30.169
45.90.30.170
45.90.30.171
45.90.30.172
45.90.30.173
45.90.30.174
45.90.30.175
45.90.30.176
45.90.30.177
45.90.30.178
45.90.30.179
45.90.30.180
45.90.30.181
45.90.30.182
45.90.30.183
45.90.30.184
45.90.30.185
45.90.30.186
45.90.30.187
45.90.30.188
45.90.30.189
45.90.30.190
45.90.30.191
45.90.30.192
45.90.30.193
45.90.30.194
45.90.30.195
45.90.30.196
45.90.30.197
45.90.30.198
45.90.30.199
45.90.30.200
45.90.30.201
45.90.30.202
45.90.30.203
45.90.30.204
45.90.30.205
45.90.30.206
45.90.30.207
45.90.30.208
45.90.30.209
45.90.30.210
45.90.30.211
45.90.30.212
45.90.30.213
45.90.30.214
45.90.30.215
45.90.30.216
45.90.30.217
45.90.30.218
45.90.30.219
45.90.30.220
45.90.30.221
45.90.30.222
45.90.30.223
45.90.30.224
45.90.30.225
45.90.30.226
45.90.30.227
45.90.30.228
45.90.30.229
45.90.30.230
45.90.30.231
45.90.30.232
45.90.30.233
45.90.30.234
45.90.30.235
45.90.30.236
45.90.30.237
45.90.30.238
45.90.30.239
45.90.30.240
45.90.30.241
45.90.30.242
45.90.30.243
45.90.30.244
45.90.30.245
45.90.30.246
45.90.30.247
45.90.30.248
45.90.30.249
45.90.30.250
45.90.30.251
45.90.30.252
45.90.30.253
45.90.30.254

These should basically help you but DONT block your own…

With some scripting you can turn the top one into a series of URLs to blacklist in pihole and the bottom one into some firewall rules for your firewall. Good luck. Sorry for my shortness last night I was drunk

Also blocking 5053 8053 8084 8088 8043 would all be ways to stop DoH resolvers

Building on the prior information

You have a phonebook you just need to know how to use it. Ill expand on this more in a sec

dig -6 -X +nocmd <URL> any +noall +answer the IPs I gave you (recursively) if you have IPv6 to get all the URLs for each of those potential IPs so you may also block them in pihole

Pretty sure thats rDNS lookup syntax

I actually automate dig a bit

 ~  cat ~/.digrc                                                                                                                          INT  at 12:48:24 
@<MY-DNS-DOMAIN> +all +authority +question +qr +recurse +multiline +answer +nocmd +dnssec +adflag +showsearch +nsid
 ~    

Understanding what you are doing here

@bedHedd @SgtAwesomesauce this is what your reverse lookup should look like post automation and setting your preferred server in the RC


 ~  dig -x 1.0.0.1                                                                                                                      1 err  at 12:54:28 
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10800
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: c6ef49c3f0d9b308
;; QUESTION SECTION:
;1.0.0.1.in-addr.arpa.	IN PTR

;; QUERY SIZE: 65

;; Truncated, retrying in TCP mode.
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21219
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: c6ef49c3f0d9b308
;; QUESTION SECTION:
;1.0.0.1.in-addr.arpa.	IN PTR

;; QUERY SIZE: 65

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21219
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;1.0.0.1.in-addr.arpa.	IN PTR

;; ANSWER SECTION:
1.0.0.1.in-addr.arpa.	1800 IN	PTR one.one.one.one.

;; Query time: 58 msec
;; SERVER: 2600:3c01::f03c:93ff:feb9:151b#53(2600:3c01::f03c:93ff:feb9:151b)
;; WHEN: Sat Sep 10 12:54:42 MDT 2022
;; MSG SIZE  rcvd: 78

 ~

It will give you a PTR record which will reveal any URL they havent published that they maybe using with a DoH ressolver :wink: including a potential oDoH record :wink:

If they dont want you to get in. They should build it better right :troll:

Youll notice my server forces recursion over TCP. This prevents some of the amplification attacks people like to throw at me. Combined with fail2ban ive pretty much BTFOd the DNS bots. A thing to note is this does place my server in violation of DNS RFC

https://www.rfc-editor.org/rfc/rfc1123#section-6.1.3.2 
https://www.rfc-editor.org/rfc/rfc1123#page-75

Either page 75 or section will jump you to the spot

Problem with RFC is it always has a gap with reality, In a lot of ways this RFC is eating glue in the corner. Something to note when you setup a public resolver

Lets breakdown what your looking at in the answer though

;; ANSWER SECTION:
1.0.0.1.in-addr.arpa.	1800 IN	PTR one.one.one.one.

you will always see (IP in reverse order).in-addr.arpa

 dig -x 8.8.4.4                                                                                                                         ok  at 12:54:42 
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22402
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: b3f9d7a95cab1d08
;; QUESTION SECTION:
;4.4.8.8.in-addr.arpa.	IN PTR

;; QUERY SIZE: 65

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;4.4.8.8.in-addr.arpa.	IN PTR

;; ANSWER SECTION:
4.4.8.8.in-addr.arpa.	86400 IN PTR dns.google.

;; Query time: 81 msec
;; SERVER: 2600:3c01::f03c:93ff:feb9:151b#53(2600:3c01::f03c:93ff:feb9:151b)
;; WHEN: Sat Sep 10 13:02:45 MDT 2022
;; MSG SIZE  rcvd: 73

This will happen with 6 as well let me show you

 dig -x 2001:4860:4860::8844                                                                                                           INT  at 13:03:02 

;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51403
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: 540f62e50c56cf51
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; QUERY SIZE: 117

;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51403
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: 540f62e50c56cf51
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; QUERY SIZE: 117

;; Truncated, retrying in TCP mode.
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43522
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID:
; COOKIE: 540f62e50c56cf51
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; QUERY SIZE: 117

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
4.4.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. 86399	IN PTR dns.google.

;; Query time: 52 msec
;; SERVER: 2600:3c01::f03c:93ff:feb9:151b#53(2600:3c01::f03c:93ff:feb9:151b)
;; WHEN: Sat Sep 10 13:03:24 MDT 2022
;; MSG SIZE  rcvd: 125

 ~         

Inverse queries take the form of a single resource record (RR) in the answer section of the message, with an empty question section. The owner name of the query RR and its time to live (TTL) are not significant. The response carries questions in the question section which identify all names possessing the query RR which the name server knows. Since no name server knows about all of the domain namespace, the response can never be assumed to be complete. Thus inverse queries are primarily useful for database management and debugging activities. Inverse queries are not an acceptable method of mapping host addresses to host names; use the in-addr.arpa domain instead. So if you see inverse RR error or NULL PTR you know there isnt a proper record for reverse lookup and safely say nobody is going to have URL pointed to that IP

Now with the foundations seen and learnt you should be able to automate dig in the RC and write a script that can check all of the IPs you want to protect against for URLs and parse them into a pihole format blacklist txt file from the ANSWER section

Happy hunting

1 Like

Updated Unbound Configuration – Recursive

## Unbound Configuration for Recursive Resolve
# Version: Red Hat 9 
# Subversion: 005

# SERVER BLOCK

server:

# Initial Configuration and Ports
        logfile: "/var/log/unbound/unbound.log" # Define log location
        username: "unbound"
        directory: "/etc/unbound"
        log-time-ascii: yes
        pidfile: "/var/run/unbound/unbound.pid"
        #verbosity: 3
        interface: 0.0.0.0
        interface: ::0 # Define if you want to answer IPv6 requests
        access-control: 172.0.0.0/8 allow
        access-control: 10.0.0.0/8 allow
        access-control: 192.0.0.0/8 allow
        access-control: 2001:DB8::/64 allow
        port: 19235 
        statistics-interval: 0
        statistics-cumulative: no
        extended-statistics: yes
        interface-automatic: no
        outgoing-port-permit: 32768-60999
        outgoing-port-avoid: 0-32767
        outgoing-port-avoid: 61000-65535
        include: /etc/unbound/local.d/*.conf
        tls-ciphers: "PROFILE=SYSTEM"
        ip-transparent: yes
        edns-tcp-keepalive: yes
        chroot: ""

# IP4/6 TCP/UDP Configuration
        do-ip4: yes
        do-udp: yes
        do-tcp: yes
        do-ip6: yes # Enable but not prefer if 6 is a capability on the network (i.e 6in4)
        prefer-ip6: yes # Only enable if on NATIVE IPV6 Stack
        so-reuseport: yes
        max-udp-size: 3072
        udp-upstream-without-downstream: yes

# Root Hints 
        root-hints: "/etc/unbound/root.hints" # Top level root servers file
    
# Hardened Resolution
        harden-short-bufsize: yes
        harden-large-queries: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        target-fetch-policy: "0 0 0 0 0" # Emulate Bind 9
        harden-algo-downgrade: no
        trusted-keys-file: /etc/unbound/keys.d/*.key
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        use-caps-for-id: no # Set no if you plan to use DNSSEC
        edns-buffer-size: 1232 # Set MTU of network
        hide-identity: yes
        hide-version: yes
        qname-minimisation: yes
        aggressive-nsec: yes
        unwanted-reply-threshold: 10000000
        deny-any: no
        rrset-roundrobin: yes
        minimal-responses: yes
        module-config: "validator iterator"
        root-key-sentinel: yes
        val-clean-additional: yes
        val-permissive-mode: no
        val-log-level: 2
        trust-anchor-signaling: yes
        prefetch-key: yes

# Optimizations
        prefetch: yes
        cache-min-ttl: 0
        serve-expired: yes
        serve-expired-ttl: 14400
        so-reuseport: yes
        msg-cache-slabs: 8
        rrset-cache-slabs: 8
        infra-cache-slabs: 8
        key-cache-slabs: 8
        outgoing-range: 4096
        msg-cache-size: 256m
        rrset-cache-size: 512m
        num-threads: 4
        so-rcvbuf: 8m
        so-sndbuf: 8m

# Other parameters
        private-address: 192.168.0.0/16
        private-address: 169.254.0.0/16
        private-address: 172.16.0.0/12
        private-address: 10.0.0.0/8
        private-address: fd00::/8
        private-address: fe80::/10

# Remote Control
remote-control:
        control-enable: yes
        control-use-cert: "no"
        # unbound server key file.
        server-key-file: "/etc/unbound/unbound_server.key"
        # unbound server certificate file.
        server-cert-file: "/etc/unbound/unbound_server.pem"
        # unbound-control key file.
        control-key-file: "/etc/unbound/unbound_control.key"
        # unbound-control certificate file.
        control-cert-file: "/etc/unbound/unbound_control.pem"
1 Like

Additional Pi-Hole Configurations

SystemD Gravity Updater:

Timer File

$ cat /etc/systemd/system/gravity.timer
# Pihole Gravity Updater
# Timer File

[Unit]
Description=Executes update of pihole gravity database
Requires=gravity.service

[Timer]
Unit=gravity.service
OnCalendar=*-*-* 0:30:00
Persistent=true

[Install]
WantedBy=timers.target

Service File

$ cat /etc/systemd/system/gravity.service
# Pihole Gravity Updater
# Service File

[Unit]
Description=Executes update of pihole gravity database
Wants=gravity.timer

[Service]
Type=simple
user=(your username if added to docker group)
group=docker
ExecStart=docker exec -it pihole pihole -g

[Install]
WantedBy=multi-user.target

This forces payload truncation on any large replies that are exploited for amplification attacks

~ cat /etc/dnsmasq.d/99-edns.conf 
edns-packet-max=1232

My pihole FTL configuration

[email protected]:/# cat /etc/pihole/pihole-FTL.conf 
REPLY_ADDR4=0.0.0.0
REPLY_ADDR6=::/0
RATE_LIMIT=1000000/10
BLOCKINGMODE=NULL
CNAME_DEEP_INSPECT=true
BLOCK_ESNI=true
EDNS0_ECS=true
REPLY_WHEN_BUSY=DROP
MOZILLA_CANARY=true
BLOCK_ICLOUD_PR=true
MAXLOGAGE=24.0
PRIVACYLEVEL=0
AAAA_QUERY_ANALYSIS=yes
ANALYZE_ONLY_A_AND_AAAA=false
SHOW_DNSSEC=true
RESOLVE_IPV6=yes
RESOLVE_IPV4=yes
REFRESH_HOSTNAMES=ALL
PARSE_ARP_CACHE=true
MAXDBDAYS=7
DBINTERVAL=1.0
LOCAL_IPV4=0.0.0.0
[email protected]:/# 

My setup vars

[email protected]:/# cat /etc/pihole/setupVars.conf  
INSTALL_WEB_INTERFACE=true
WEBPASSWORD=LOL NO
PIHOLE_INTERFACE=eth0
QUERY_LOGGING=true
BLOCKING_ENABLED=true
DNSMASQ_LISTENING=all
DNS_FQDN_REQUIRED=false
DNS_BOGUS_PRIV=false
DNSSEC=true
REV_SERVER=false
PIHOLE_DNS_1=10.31.85.1#19235
[email protected]:/# 

You can customize this file with its delimiters to give yourself custom DNS servers. I dont because I only have local

These get reset on every pihole update. The devs of pihole are assholes about this and refuse to change this. They are pretty stuck in their own echo chamber. So make a service that overwrites this file every time its changed. You can use a systemD trigger for this. Here is the base configuration.

[email protected]:/# cat /etc/pihole/dns-servers.conf 
Google (ECS, DNSSEC);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
Level3;4.2.2.1;4.2.2.2;;
Comodo;8.26.56.26;8.20.247.20;;
DNS.WATCH (DNSSEC);84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
Quad9 (filtered, ECS, DNSSEC);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11
Cloudflare (DNSSEC);1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001
[email protected]:/# 

Teleporter file

Please rename the extension back to a gunzip tarball. I couldnt upload it otherwise then upload to pihole

pihole-conf-unix_epoch-1662823550.tar.gz.txt (105.3 KB)

Gravity output dump

pihole -g
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [i] Using libz compression

  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 138289 domains
  [i] List stayed unchanged

  [i] Target: https://block.energized.pro/basic/formats/domains.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 378748 domains
  [i] List has been updated

  [i] Target: https://raw.githubusercontent.com/badmojr/1Hosts/master/Lite/domains.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 101793 domains
  [i] List has been updated

  [i] Target: https://block.energized.pro/ultimate/formats/domains.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 524784 domains
  [i] List has been updated

  [i] Target: https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/BreakingTheNews.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 1 domains
  [i] List stayed unchanged

  [i] Target: https://raw.githubusercontent.com/ligyxy/Blocklist/master/BLOCKLIST
  [✓] Status: Retrieval successful
  [i] Analyzed 70545 domains
  [i] List stayed unchanged

  [i] Target: https://dbl.oisd.nl
  [✓] Status: Retrieval successful
  [i] Analyzed 1008644 domains
  [i] List has been updated

  [i] Target: https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 1008644 domains
  [i] List has been updated

  [i] Target: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/multi.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 845446 domains
  [i] List has been updated

  [i] Target: https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Fanboy-Annoyances-List.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 74 domains
  [i] List stayed unchanged

  [i] Target: https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/CombinedBlacklists/CombinedBlackLists.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 2077732 domains
  [i] List stayed unchanged

  [i] Target: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
  [✓] Status: No changes detected
  [i] Analyzed 426786 domains

  [i] Target: https://www.github.developerdan.com/hosts/lists/hate-and-junk-extended.txt
  [✓] Status: No changes detected
  [i] Analyzed 1806 domains

  [i] Target: https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 60837 domains
  [i] List has been updated

  [i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 57 domains
  [i] List stayed unchanged

  [i] Target: https://v.firebog.net/hosts/static/w3kbl.txt
  [✓] Status: No changes detected
  [i] Analyzed 356 domains

  [i] Target: https://adaway.org/hosts.txt
  [✓] Status: No changes detected
  [i] Analyzed 7189 domains

  [i] Target: https://v.firebog.net/hosts/AdguardDNS.txt
  [✓] Status: No changes detected
  [i] Analyzed 47637 domains

  [i] Target: https://v.firebog.net/hosts/Admiral.txt
  [✓] Status: No changes detected
  [i] Analyzed 637 domains

  [i] Target: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 42553 domains
  [i] List stayed unchanged

  [i] Target: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
  [✓] Status: No changes detected
  [i] Analyzed 2701 domains

  [i] Target: https://v.firebog.net/hosts/Easylist.txt
  [✓] Status: No changes detected
  [i] Analyzed 21325 domains

  [i] Target: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&amp;amp;amp;showintro=0&amp;amp;amp;mimetype=plaintext
  [✓] Status: No changes detected
  [i] Analyzed 3673 domains

  [i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 9 domains
  [i] List stayed unchanged

  [i] Target: https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 17411 domains
  [i] List stayed unchanged

  [i] Target: https://v.firebog.net/hosts/Easyprivacy.txt
  [✓] Status: No changes detected
  [i] Analyzed 12938 domains

  [i] Target: https://v.firebog.net/hosts/Prigent-Ads.txt
  [✓] Status: No changes detected
  [i] Analyzed 3749 domains

  [i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 1286 domains
  [i] List stayed unchanged

  [i] Target: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 347 domains
  [i] List stayed unchanged

  [i] Target: https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
  [✓] Status: No changes detected
  [i] Analyzed 13992 domains

  [i] Target: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 8344 domains
  [i] List stayed unchanged

  [i] Target: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
  [✓] Status: No changes detected
  [i] Analyzed 63 domains

  [i] Target: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
  [✓] Status: No changes detected
  [i] Analyzed 2735 domains

  [i] Target: https://v.firebog.net/hosts/Prigent-Crypto.txt
  [✓] Status: No changes detected
  [i] Analyzed 14339 domains

  [i] Target: https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 2189 domains
  [i] List stayed unchanged

  [i] Target: https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
  [✓] Status: No changes detected
  [i] Analyzed 2046 domains

  [i] Target: https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
  [✓] Status: Retrieval successful
  [i] Analyzed 8147 domains
  [i] List stayed unchanged

  [i] Target: https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/generated/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 831 domains
  [i] List stayed unchanged

  [i] Target: https://urlhaus.abuse.ch/downloads/hostfile/
  [✓] Status: Retrieval successful
  [i] Analyzed 710 domains
  [i] List has been updated

  [i] Target: https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser
  [✓] Status: No changes detected
  [i] Analyzed 3496 domains

  [✓] Creating new gravity databases
  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available.
  [i] Number of gravity domains: 6862889 (3698728 unique domains)
  [i] Number of exact blacklisted domains: 0
  [i] Number of regex blacklist filters: 1
  [i] Number of exact whitelisted domains: 5585
  [i] Number of regex whitelist filters: 1922
  [i] FTL is not running
  [✓] Cleaning up stray matter

  [✓] FTL is listening on port 53
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

@here this is going to contain my much more sane pihole configuration stuff. It does not have 6 bajillion URLs. I found that to be problematic. I moved back down to 3.5 mil. My whitelists are fairly liberal. YMMV

UPDATE: Now helpful information index is in post 2

2 Likes

Yours is a blacklist, not a whitelist. You allow everything and block undesirable stuff.

Whitelist FTW! Block everything and only allow desirable stuff.

2 Likes

This is true but this is painstaking and annoying. For me my perspective is: (not popular) As you encounter annoyances use the engineering youve created here with PiHole to make it more sane for you. Blocking everything is very difficult to maintain for more than just yourself which is the case for most people. Its a difference of use case if im more to my point

3 Likes

Agreed.

I wouldn’t say that’s unpopular, that’s what most people do, even in big corporations. I think mine’s an unpopular opinion. I mean, it is probably agreed upon, not not followed. So I can’t say either are popular or unpopular.

2 Likes

Well its more about pragmatism and less about being to the letter. Its like RFC. If you see my length post above. Im in violation of it

2 Likes

Man I couldnt get DoT working for the life of me a year ago. But now I have it. Took me like an hour of re configuring everything and i fixed it. Only thing is android and iphone are not working… Desktops and laptops are good to go.

@PhaseLockedLoop Ill post here since this is the main thread.

ugh id prefer not to… Lounge is simple for diagnosis LOL but you can if you wish