Re: Block DoH providers on SMB

HristoGrigorov · ‎2020-03-04

Hello SMB admins,

Inspired by this thread

https://community.checkpoint.com/t5/Access-Control-Products/How-to-deal-with-DNS-over-HTTPS-DNS-over...

I decided to play a bit and came up with a simple command to block DoH providers on SMB using 'sim dropcfg':

#!/bin/sh

DB_FILE=/tmp/public-resolvers-doh.db

curl_cli -sk https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json | jq '.[] | {addrs,proto:"DoH"}' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -n | uniq | awk '{print "dst " $0 " dport 443 proto 6"}' > $DB_FILE
if [ $(stat -c %s $DB_FILE) == 0 ]; then
  echo "error: failed to download DoH providers list"
  rm -f $DB_FILE
  exit 1
fi

echo "dst 1.1.1.1 dport 443 proto 6" >> $DB_FILE
echo "dst 104.16.248.249 dport 443 proto 6" >> $DB_FILE
echo "dst 8.8.4.4 dport 443 proto 6" >> $DB_FILE

sim dropcfg -e -y -f $DB_FILE

This will only block DoH providers as DNScrypt ones have application recognition already. But if you need them too it is easy to adapt...

Use 'sim dropcfg -l' to check current stats.

Sean_Roth · ‎2020-03-11

Great idea! I'll keep this in my toolbox. I think you meant to use this jq though: jq '.[] | select(.proto == "DoH") | .addrs'

HristoGrigorov · ‎2020-03-11

Thanx! I am not exactly jq-master so I guess there is a better way to do it. This one seems to work fine as well.

Martin_Valenta · ‎2020-03-12

Cool stuff, wondering why does it missing Cloudfare DNS (1.1.1.1), which responds on https too..

HristoGrigorov · ‎2020-03-12

Thanx for reminding me. I forgot to add them. Modified the script a little...

Are you a member of CheckMates?

Block DoH providers on SMB