On Wed, 5 Jan 2022 19:42:33 +0100 <to...@tuxteam.de> wrote: > On Wed, Jan 05, 2022 at 12:41:23PM -0500, Celejar wrote: > > [...] > > > The configuration I'm talking about is as follows: the browser makes > > ordinary, unencrypted DNS requests to the Pi-hole, over a trusted > > network > > If the browser decides to make the DNS requests over HTTPS (DoH [1], > that's what we are talking about), the DNS server in your Pi-hole doesn't > even get to see those requests.
So tell the browser not to use DoH! Am I really being so unclear? My point is that it's a straightforward matter to get the DNS requests of your applications - browsers, and all other applications as well - checked against blocklists, and then sent over DoH if they aren't blocked by the lists. > > (your LAN, or a VPN). HTTPS isn't necessary here insofar as you > > trust your own network to be secure. (And if you're really worried about > > intruders [...] > > No, no. I'm not worried about those things. I'm worried that the > browsers do their own thing to do name lookup so they escape my control > (be it via /etc/hosts, be it via an own DNS server, local or Pi-hole). I'm not sure why you're worried about browsers doing their own things despite your telling them not to, or where anyone mentioned such a concern in this thread, but if you are worried about that sort of thing, then I agree that it's pretty much game over. Even if you block known DoH servers at the firewall, I suppose you can always worry about browsers contacting some unknown DoH server. And why stop there? Maybe the browser will do some nefarious phoning home, using some homegrown protocol, encapsulated inside HTTPS so you'll never know about it! The bottom line is that yes, if you don't trust your browser and you allow it to contact arbitrary sites over HTTPS, then it's game over. > > https://www.reddit.com/r/pihole/comments/ku0i8k/configuring_dnsoverhttps_on_pihole/ > > Again: I'm not that much concerned about my lookup's privacy. The > Pi-hole having an option to do DoH lookups is fine. But do I trust my > browser to not do direct DoH lookups all by itself, bypassing my Pi-hole > (or whatever I've set up as a controlled DNS)? What about its next > version? Celejar
