- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)
- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules
- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.
I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).
EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.
You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.
Little pro-tip for anyone who tries to run their own private DoH infrastructure too, Firefox doesn't like RFC1918 addresses for the DoH resolver. Set `network.trr.allow-rfc1918=true` if you run DoH on a private IP.
That’s the design intent. Because not all network administration is benign.
DoH is a tool like any other. Good or bad entirely on why and how it’s used. And your own perspective on that use case.
DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.
> DoH is a tool like any other. Good or bad entirely on why and how it’s used.
Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.
DoH is a plague.
That's not true when the just the network itself is yours. It's only true when all of the computers on it are too.
> DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.
What? No it doesn't.
> Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.
You're not supposed to be able to have control over what tools other people use on their own computers.
I was unclear. This is exactly the case I'm talking about. The network, and all of the devices on the network, are mine.
> What? No it doesn't.
It does. It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.
> You're not supposed to be able to have control over what tools other people use on their own computers.
Again, I'm talking about having control over my own machines, not anyone else's.
If that makes DoH bad, then privacy is bad too since it makes it easier for terrorists and pedophiles to evade the law.
The only privacy they are affording is specifically to entities that I don't want operating on my machines to begin with, who are mostly interested in violating my privacy.
So this privacy mechanism, in this use case, really is bad because it reduces my privacy.