[HELP] Redirecting DoH requests to internal DNS

nikant · April 9, 2022, 7:14am

Hello,

I know this is a matter that has many threads written and posts all over the internet about DoH bypassing local DNS requests..
Some people from what I have seen use a blocking firewall rule that drops DoH servers list (which breaks internet in some users..)
(like this list from PiHole: https://github.com/jpgpi250/piholemanual/blob/master/DOHipv4.txt )

I would like some help with half a solution I have in mind (and I am sorry I do not even know if this is possible)

Can we redirect all requests to 443 port from the DoH list to our internal DNS 53 and masquerade(?) a reply back?

What I have already working for simple DNS 53 requests

/ip firewall nat
add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-address-type=!local dst-port=53 protocol=tcp to-ports=53
add action=masquerade chain=srcnat out-interface=wan1ether1

/ip dns
set allow-remote-requests=yes cache-max-ttl=2d cache-size=8192KiB max-concurrent-queries=200 max-concurrent-tcp-sessions=40 servers=208.67.222.222,208.67.220.222,208.67.222.220,208.67.220.220 use-doh-server=https://doh.umbrella.com/dns-query
/ip dns static
add address=192.168.20.1 name=Mikrotik_router

Can we add something like:

chain=dstnat action=dst-nat dst-address-list=DoHlist to-ports=443 protocol=udp to-addresses=192.168.20.1 dst-port=53

chain=dstnat action=dst-nat dst-address-list=DoHlist to-ports=443 protocol=tcp to-addresses=192.168.20.1 dst-port=53

So many questions..

will this work?
do we need to masquerade something back?
in what order should I add with my existing rules?
do we also need a firewall rule somewhere?

msatter · April 9, 2022, 7:23am

No.

nikant · April 9, 2022, 7:29am

OK
(thank you?)

jvanhambelgium · April 9, 2022, 7:45am

I drop whatever I can on DNS-over-HTTPS , DNS-over-TLS, DNS-over-QUIC , DNS-Crypt etc,etc but blocking does not “break” anything as far as I know.
I’m not aware of any client/endpoint that does not work with traditional DNS.

I also redirect “classic” DNS requests to PiHole for further processing.

I can’t say I have any issues, but most depends on how the Pi-hole is configured etc,
From time to time I need to whitelist certain things or stuff is not working well etc.

msatter · April 9, 2022, 8:03am

DoH is a pest in normal situations. It should only be used in counties where people are oppressed or at war.

The Dutch are oppressed by the EU but we can still work around it without having to use the DoH weapon.

Znevna · April 9, 2022, 8:08am

Uuu DoH evil!! beware of DoH!! boo!
Stop spying on your users.
No, you can’t do what you want.

msatter · April 9, 2022, 8:19am

That is why there is DoT. DoH is a weapon and not a tool for normal situations.

Mikrotik should put some effort to support DoT and don’t stare blindly on DoH.

nikant · April 9, 2022, 1:02pm

wow.. some people have strong feelings against DoH.. didn’t expect that when I asked..

anyway thank you all for clarifying that what I wished can’t be done.

If anyone has a solution just post a link if possible
the problem I have to face is a small budget hotel with limited bandwidth to share (50Mbps) to 40-50 mobile clients.. so one requirement was to cut porn (don’t judge, use a vpn). That was the fuss with dns.

FYI about the “drop DoH” rules that some use in ROS: I had mobile clients in i.e. Android with the Blokada app (a local VPN that cuts ads) that their mobile browsers couldn’t connect anywhere..

chechito · April 9, 2022, 1:21pm

there is not only:

DoH Dns over HTTPS

there is:

DoT Dns over TLS
DoQ Dns over QUIC

in summary, trying to redirect any of this is very like trying to redirect and https web site or app, ther is certificates involved to avoid supplantation, that makes redirect inviable

jvanhambelgium · April 9, 2022, 2:17pm

Some good QoS is not an option ? Eg. give all mobile clients 1Mbps if it gets busy, if there is bandwith unused let them use it.
There are some fancy QoS/queuing postings here on the forum.

Znevna · April 9, 2022, 3:10pm

Of course that would be the better option.

kraal · April 9, 2022, 5:52pm

“Spying on [our] users” ? Well I trust my users, I don’t trust browsers, apps using DoH under the hood, and companies running DoH services, devices, or any of them using 8.8.8.8 “because it is convenient/fast”. Do I trust my ISP? More than I trust Cloudflare, NextDNS or Google. Do I trust my government ? more than I trust other ones.

For these reasons I prefer to provide a local DNS server and use unbound… My users are aware of it, none complains, none thinks that I want to “profile” them… Once explained all consider this as a “cool service” and are surprised of the numbers when I show them how many requests (they were not aware of, originating from a media player, a smartphone, their windows computer ) are blocked.

Znevna · April 9, 2022, 6:04pm

This topic ain’t about you.

kraal · April 9, 2022, 6:29pm

Sure, I should have written “stop being sarcastic” instead. My bad…

msatter · April 9, 2022, 8:12pm

Some reading on DoH by jpgpi250:

https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

kevinds · April 13, 2022, 12:28am

From a network/systems admin point of view, DoH is a huge PITA!

I don’t really care what the users themselves do.. I do care what lookups malware is doing though.