Create a Post
Showing results for 
Search instead for 
Did you mean: 

Block DoH providers on SMB

Hello SMB admins,

Inspired by this thread

I decided to play a bit and came up with a simple command to block DoH providers on SMB using 'sim dropcfg':




curl_cli -sk | jq '.[] | {addrs,proto:"DoH"}' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -n | uniq | awk '{print "dst " $0 " dport 443 proto 6"}' > $DB_FILE
if [ $(stat -c %s $DB_FILE) == 0 ]; then
  echo "error: failed to download DoH providers list"
  rm -f $DB_FILE
  exit 1

echo "dst dport 443 proto 6" >> $DB_FILE
echo "dst dport 443 proto 6" >> $DB_FILE
echo "dst dport 443 proto 6" >> $DB_FILE

sim dropcfg -e -y -f $DB_FILE


This will only block DoH providers as DNScrypt ones have application recognition already. But if you need them too it is easy to adapt...

Use 'sim dropcfg -l' to check current stats.

4 Replies

Great idea! I'll keep this in my toolbox. I think you meant to use this jq though: jq '.[] | select(.proto == "DoH") | .addrs'

0 Kudos

Thanx! I am not exactly jq-master so I guess there is a better way to do it. This one seems to work fine as well.

0 Kudos

Cool stuff, wondering why does it missing Cloudfare DNS (, which responds on https too..
0 Kudos

Thanx for reminding me. I forgot to add them. Modified the script a little...

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events