DNS-over-HTTPS (DoH) offers privacy benefits by encrypting DNS queries, but it can also present challenges for network administrators seeking to enforce security policies, apply content filtering, or monitor network traffic. This guide provides a detailed walkthrough of various methods to block or control DoH traffic within your pfSense firewall.
Unlike traditional DNS queries over UDP or TCP port 53, DoH uses HTTPS (port 443), the standard port for secure web traffic. This makes it significantly more difficult to block effectively using simple port filtering. Attempts to block port 443 will disrupt legitimate HTTPS website access. Therefore, more sophisticated techniques are required.
Several strategies can be employed to mitigate the use of DoH within your network. The effectiveness of each method depends on the sophistication of the clients and the DoH providers used.
The most straightforward method is to configure your pfSense DNS resolver to refuse DoH and DoT requests. This is usually done at the DNS resolver level, not within a firewall rule. If your clients are configured to use the pfSense box as their DNS server, they will be forced to use the configured settings. Unfortunately, this only works if your clients are using the pfSense server as a DNS server and doesn't prevent clients from using external DNS resolvers that support DoH.
PfSense, with the addition of suitable packages, can perform deep packet inspection to identify and block DoH traffic. This involves inspecting the HTTPS payload to identify DNS queries. This method is more effective than simple port blocking but can be resource-intensive and may require specific DPI packages or rules. Some pfSense packages offering DPI capabilities may be necessary for this method.
Deep packet inspection can significantly impact network performance, especially on systems with limited resources. Carefully consider its deployment and optimize your rules to minimize overhead.
Some DNS forwarders (like unbound) can be configured to specifically block DoH requests. You can configure pfSense to forward all DNS requests to this external forwarder, leveraging the forwarder's DoH blocking capabilities. This offloads the complex processing to a specialized server and maintains the benefit of centralizing your DNS management.
Though less common for DNS, some advanced ALGs might be modifiable to handle DoH traffic. This requires a strong understanding of pfSense's ALG configuration and might involve custom scripting or configuration. This method is not recommended for novice users.
The least effective, but sometimes necessary, approach is to configure clients themselves to disable or prevent the use of DoH. This involves modifying client-side DNS settings, often through operating system or browser configurations. This is time-consuming if managing many clients.
The optimal method for blocking DoH depends on your network's size, security requirements, and technical expertise. For smaller networks, disabling DoH on client devices might suffice. For larger or more security-sensitive environments, implementing DPI or using a DoH-blocking DNS forwarder is generally recommended. Remember to always test your chosen method to ensure it effectively blocks DoH traffic without disrupting legitimate HTTPS connections.
Blocking DoH in pfSense requires a multifaceted approach. While complete prevention might be challenging, implementing a combination of the methods described above significantly reduces the risk associated with uncontrolled DoH usage and allows for better monitoring and control of your network's DNS traffic.