DoT isn't a big problem for a pihole, but it doesn't look like things are going that way. DoH can only be blocked by a mitm proxy. You would have to take a pretty serious security hit to do something like that with a pihole.
My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.
> My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.
IIRC, the vision with DoH is that eventually even browsers would do DNS as part of a bunch of pipelined HTTP requests. So you call up https://www.example.com/page.html and www.example.com resolves img.example.com for you since it's used on the page. The downside is www.example.com could also resolve tracker.adnetwork.com for you, too.
IIRC, DoH is there to defeat MITM attacks, but stuff like Pi-Hole is basically a MITM attack, so it's kinda collateral damage.
I bet network-level ad-blocking will eventually have to evolve into literal firewall rules on the gateway.
Sure, but if you're worried about them using a specific DNS, aren't you already worried about them not using DNS; resolving `phonehome.evil.co` once per release and shipping the baked-in IP? Stops working if it can't reach that IP, 'xx needs to update', gets new IP?
Whitelisting would make it much more difficult for wildcat DoH. On the gripping hand, whitelisting is extremely annoying and tends to block more work-related-and-useful than software that is actually malicious.
