PiHole with upstream dns-over-tls or dns-over-https.
Anybody who wants to can get around DNS blocks. Sure it’ll stop Aunt Sally, but anyone who cares will get around it. It’s a really dumb way of doing things.
Even Palo Alto notes that they can only effectively block DoH if you’re MITMing all https traffic already (e.g. using a root certificate on corporate-managed devices). If not able to MITM the connection, it will still try to block popular DoH providers, though.
PiHole with upstream dns-over-tls or dns-over-https.
Anybody who wants to can get around DNS blocks. Sure it’ll stop Aunt Sally, but anyone who cares will get around it. It’s a really dumb way of doing things.
It’s trivial for me to detect and block dns over https with modern firewalls.
How? I don’t see what could find dns-over-https in the middle of other https traffic?
there is a lot more to modern firewall app detection than ports. My Palo Alto has a specific category to detect and block dns over https.
Even Palo Alto notes that they can only effectively block DoH if you’re MITMing all https traffic already (e.g. using a root certificate on corporate-managed devices). If not able to MITM the connection, it will still try to block popular DoH providers, though.
https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/ba-p/313171