Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

After seeing every implementation of DoH giving a flying fuck about your actual network settings, I’ve decided it’s a technology I want nothing to do with.

I’ve actually actively blocked DoH for the major providers on my router, by writing some custom iptables rules.

Hopefully there will be a simple to use OpenWrt-package which you can install to do this automatically in the future.



Could you share those iptables rules please?


I'll have to correct myself. It seems I gave up on the iptables-approach due to having some correctness errors.

Instead I ended up with these lines in /etc/config/firewall:

    config rule
        option target 'ACCEPT'
        option name 'Allow router to perform DNS'
        option family 'ipv4'
        option src_ip '192.168.1.1'
        option dest_port '53'
        option src '*'
        option dest '*'
    
    config rule
        option src 'lan'
        option name 'Disallow Google DNS from LAN'
        option family 'ipv4'
        option dest_ip '8.8.8.8'
        option target 'REJECT'
        option dest 'wan'
    
    config rule
        option src 'lan'
        option name 'Disallow Google DNS from LAN (2)'
        option dest 'wan'
        option family 'ipv4'
        option dest_ip '8.8.4.4'
        option target 'REJECT'
    
    config rule
        option src 'lan'
        option name 'Disallow Cloudflare DOH from LAN'
        option dest_ip '1.1.1.1'
        option dest_port '443'
        option target 'REJECT'
        option proto 'tcp'
        option family 'ipv4'
        option dest 'wan'
    
    config rule
        option src 'lan'
        option name 'Disallow Cloudflare DOH from LAN (2)'
        option proto 'tcp'
        option dest 'wan'
        option dest_ip '1.0.0.1'
        option dest_port '443'
        option family 'ipv4'
        option target 'REJECT'
    
    config rule
        option src 'lan'
        option name 'Disallow Cloudflare DOH from LAN (3)'
        option dest_ip '104.16.249.249'
        option family 'ipv4'
        option dest 'wan'
        option target 'REJECT'
Pretty much as basic as you'd think.

Router itself acts as a DNS-server via dnsmasq, and is allowed to do anything I decide I want.

On my network I have a pi-hole instance which then forwards queries to the router, so it also intercepts/looks up local LAN names correctly.

All clients on the network are provided the pi-hole as the canonical DNS-server to use via DHCP options.

Works for me.


The real difficulty as time goes on is to update the list.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: