<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.E-mailStijl19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.ipaddr
{mso-style-name:ipaddr;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NL link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>The canarydomain is supported for some time do not exactly know when that was introduced.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>At DDWRT we use the same setup to block unwanted DNS:<o:p></o:p></span></p><p class=MsoNormal><span lang=FR style='mso-fareast-language:EN-US'>Redirect port 53, 5353, 9953 (see below)<o:p></o:p></span></p><p class=MsoNormal><span lang=FR style='mso-fareast-language:EN-US'>Block port 853<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>Use IPSET with a DoH blocklist to block at the firewall.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>There are some loopholes you also might want to close, AdGuard listens on port 5353 , you can redirect but be careful if you use mDNS/Bonjour in that case do not redirect the multicast address (</span><span class=ipaddr><i><span lang=EN-GB>224.0.0.251)<o:p></o:p></span></i></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>Quad nine also listens on port 9953 you can also redirect that to 53.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'>Erik<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b>Van:</b> Eric Fahlgren <ericfahlgren@gmail.com> <br><b>Verzonden:</b> maandag 19 december 2022 18:09<br><b>Aan:</b> egc6774@gmail.com<br><b>CC:</b> Michael Smith <michael@kmaclub.com>; Jonathan Stafford <thecabinet@gmail.com>; dnsmasq-discuss@lists.thekelleys.org.uk<br><b>Onderwerp:</b> Re: [Dnsmasq-discuss] Change upstream server by client?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>Thank you, I had not realized that '<a href="http://use-applications-dns.net">use-applications-dns.net</a>' was specialized like that, very interesting! My adblock lists already contained that host, which I now know triggers Firefox (and hopefully others?) to disable their DoH automatically. I do wonder when Mozilla implemented this though, there's no version or date on that page.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>In addition to my firewall-rule-based blocking of DoH hosts by IP, I also have all of the same DoH hosts listed by name in the dnsmasq config, so with luck the firewall rules are completely redundant. If you look at the nightly-updated part of the config you see these three lines (along with about 300k other hosts, see <a href="https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains_overall.txt">https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains_overall.txt</a> for just the DoH host names).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>...<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>local=/<a href="http://use-application-dns.net/">use-application-dns.net/</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>...<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>local=/<a href="http://doh.dns.apple.com/">doh.dns.apple.com/</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>local=/<a href="http://doh.opendns.com/">doh.opendns.com/</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>...<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>I'm running bog standard dnsmasq 2.86, and the speed is blazing, no measurable degradation in performance with as many as a half million entries in the block lists. The "production" router is a PCengines APU2 (x86), system has 4GB RAM and less than 200MB is used - by everything, not just dnsmasq - when these lists are loaded. In fact, I'd venture to say that my current setup has better performance than passing, say, 1.1.1.1 around, since dnsmasq is caching results locally for all machines, rather than hitting the internet for every device.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, Dec 19, 2022 at 5:13 AM <<a href="mailto:egc6774@gmail.com">egc6774@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>For FireFox you can also set a Canary Domain : <a href="https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet" target="_blank">https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet</a> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>That is what we also do to Redirect DNS request to the router (I am a DDWRT developer)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Erik</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>Van:</b> Eric Fahlgren <<a href="mailto:ericfahlgren@gmail.com" target="_blank">ericfahlgren@gmail.com</a>> <br><b>Verzonden:</b> zondag 18 december 2022 19:44<br><b>Aan:</b> Michael Smith <<a href="mailto:michael@kmaclub.com" target="_blank">michael@kmaclub.com</a>><br><b>CC:</b> Jonathan Stafford <<a href="mailto:thecabinet@gmail.com" target="_blank">thecabinet@gmail.com</a>>; <a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">dnsmasq-discuss@lists.thekelleys.org.uk</a><br><b>Onderwerp:</b> Re: [Dnsmasq-discuss] Change upstream server by client?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>Well, the real issue is DNS "leakage", because some (most?) browsers and lots of phone apps use their own resolvers, thus bypassing your advertised DNS resolver. My solution is on the router: I set up dnsmasq as my local resolver (with adblock and DNSSEC, stubby is my backend for DoT), don't even bother advertising it and then have three sets of firewall rules to make sure all hosts adhere to the One True DNS:</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>1) DNS redirect: All LAN device requests to WAN (or LAN) at port 53 are redirected to the router:53.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>2) DoT block: All LAN devices attempting to access port 853 anywhere are blocked.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>3) DoH block: All LAN devices that attempt to access port 443 on WAN are checked against a couple of sets of host IP addresses (one each for IPv4 and v6), and if the external host is a known-DoH resolver, the request is blocked. (I update nightly from <a href="https://github.com/dibdot/DoH-IP-blocklists" target="_blank">https://github.com/dibdot/DoH-IP-blocklists</a>)</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>When setting this up, I would watch tcpdump for various requests and convinced myself that I was catching 99% of everything, but I have not even tried to figure out DNS-over-QUIC and how it might be getting past my rules.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>#1 means that if I go to any machine in the house and say 'nslookup <a href="http://blarg.com" target="_blank">blarg.com</a> 8.8.8.8' or 'dig @<a href="http://8.8.8.8" target="_blank">8.8.8.8</a> <a href="http://blarg.com" target="_blank">blarg.com</a>', then I see my router as the DNS resolver in the response, even though I explicitly asked for 8.8.8.8 to resolve it. Which in turn means that DNS configuration on a per-machine is not required, and anyone connecting to my network is subject to my rules.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'>#3 causes some browsers to hang because they really, really want to use DoH. Usually there is a browser setting to disable DoH, so it resorts to plain DNS (at least there is in Firefox, which is what I make everyone here use; yeah, I'm dictator :) ).</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Sun, Dec 18, 2022 at 9:57 AM Michael Smith <<a href="mailto:michael@kmaclub.com" target="_blank">michael@kmaclub.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am not aware of a way, but hopefully someone else has ideas. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I run two instances of pihole. One for the grown ups that points upstream to 1.1.1.1 and the other points to 1.1.1.3. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Then I use similar stanzas below to point the clients to the right pihole<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Michael <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><o:p> </o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>On Dec 18, 2022, at 9:10 AM, Jonathan Stafford <<a href="mailto:thecabinet@gmail.com" target="_blank">thecabinet@gmail.com</a>> wrote:<o:p></o:p></p></blockquote></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks, Michael. That will work to get them using that server, but it's totally bypassing dnsmasq which means my local entries from /etc/hosts don't resolve. I'd like both things to work to be difficult :)<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Sun, Dec 18, 2022 at 10:36 AM Michael Smith <<a href="mailto:michael@kmaclub.com" target="_blank">michael@kmaclub.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 12/18/22 06:59, Jonathan Stafford wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>--server provides a way to change upstream resolvers based on the domain being queried. Is there a way to make the same sort of change based on the client doing the querying? For example, I'd like the IP address range I use for my kids' devices to use 1.1.1.3. <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></blockquote><p> <o:p></o:p></p><p>You can achieve this using tags:<o:p></o:p></p><p> <o:p></o:p></p><p> <o:p></o:p></p><p><span style='font-family:"Courier New";color:black;background:white'># Define DNS servers </span><span style='font-family:"Courier New"'><br>dhcp-option=option:dns-server,1.1.1.1<br><span style='color:black;background:white'>dhcp-option=tag:kidsdevices,option:dns-server,1.1.1.3</span></span><o:p></o:p></p><p> <o:p></o:p></p><p><span style='font-family:"Courier New";color:black;background:white'>dhcp-host=0c:51:01:95:d3:36,set:kidsdevices # Ipad </span><span style='font-family:"Courier New"'><br>dhcp-host=58:41:4E:CD:D2:0A,set:kidsdevices # Iphone</span><o:p></o:p></p><p> <o:p></o:p></p><p><span style='font-family:"Courier New"'>Michael</span><o:p></o:p></p><p> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>Dnsmasq-discuss mailing list<br><a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br><a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a><o:p></o:p></p></blockquote></div></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>Dnsmasq-discuss mailing list<br><a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br><a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a><o:p></o:p></p></blockquote></div></div></div></div></blockquote></div></div></body></html>