How to BLOCK DoH-dns-server with iptables?

Hi!

I want create some rules about blocking DoH-dns-server with iptables.

Is this right?

iptables -A INPUT -s 1.0.0.1 -j DROP
iptables -A INPUT -s 9.9.9.9 -j DROP
etc.

or?

iptables -A OUTPUT -s 1.0.0.1 -j DROP
iptables -A OUTPUT -s 9.9.9.9 -j DROP

Hello,

Frankly, I'm very puzzled with your question.

Let me explain myself: I am completely unaware whether Ubuntu Mate has any DoH resolver installed (and configured) by default and whether there are some packages which silently use embedded DoH resolver under their hood. Hence, the reasoning: before you need to block DoH servers you need to have a DoH client as a prerequisite.

Could you share some detail regarding DoH client in question, please?

Anyway,


may help.

By the way, Ubuntu Mate has pre-installed package 'ufw' which greatly simplifies netfilter configuration. See also

I use pi-hole, dnscrypt with dnssec and without DoH-dns-servers.

I want block these DoH-dns servers with iptables:

adguard.com
104.20.31.130
104.20.30.130

cdn.cloudflare.net
cloudflare-dns.com
dns.cloudflare.com
ian.ns.cloudflare.com
kim.ns.cloudflare.com
ns1.cloudflare-dns.com
ns2.cloudflare-dns.com
ns3.cloudflare-dns.com
todd.ns.cloudflare.com
173.245.59.118
104.16.249.249
104.16.248.249
1.1.1.1
1.0.0.1

ns0.comododns.com
ns1.comododns.com
ns0.comododns.net
ns1.comododns.net
8.26.56.26
8.20.247.20

commons.host
139.162.131.245

dns.aaflalo.me
176.56.236.175

dns.adguard.com
176.103.130.131
176.103.130.130

dns-family.adguard.com
176.103.130.134
176.103.130.132

dns.google
8.8.8.8
8.8.4.4

dns.quad9.net
dns9.quad9.net
dns10.quad9.net
149.112.112.112
149.112.112.11
149.112.112.10
149.112.112.9
9.9.9.11
9.9.9.10
9.9.9.9

dns.dns-over-https.com
45.77.124.64
45.32.253.116

dns.dnsoverhttps.net
104.236.178.232

dns-gcp.aaflalo.me
168.235.81.167

dns.nextdns.io
45.90.30.0
45.90.28.0

dns.rubyfish.cn
118.89.110.78
47.96.179.163

doh.armadillodns.net
206.189.215.75

doh.appliedprivacy.net
37.252.185.229

doh.captnemo.in
139.59.48.222

doh-ch.blahdns.com
104.19.199.29
104.19.198.29

doh.cleanbrowsing.org
185.228.168.168
185.228.168.10

doh.crypto.sx
104.28.1.106
104.28.0.106

doh.dns.sb
172.64.203.17
172.64.202.17

doh.dnswarden.com
116.203.70.156
116.203.35.255

doh-jp.blahdns.com
108.61.201.119

doh.li
46.101.66.244

doh.netweaver.uk
185.157.233.92

doh.powerdns.org
136.144.215.158

doh.securedns.eu
146.185.167.43

doh.tiar.app
174.138.29.175

jp.tiar.app
172.104.93.80

ns1.Level3.net
ns2.Level3.net
4.2.2.2
4.2.2.1

opendns.com
208.67.222.222
208.67.220.220

rdns.faelix.net
185.134.197.54
185.134.196.54
46.227.200.55
46.227.200.54

I don't want use DoH-dns-servers because of bad dns-security.

1 Like