So you've set up DNS filtering to protect your family — CleanBrowsing, Pi-hole, or OpenDNS — and now you've discovered that browsers can bypass it entirely using "Secure DNS" (DNS-over-HTTPS). This guide shows you how to block those bypass methods at the network level.
This article is for people comfortable logging into their router and creating firewall rules. If that sounds intimidating, you might want to get in touch — this is exactly the kind of thing I help with.
Understanding what we’re blocking
There are two main encrypted DNS protocols:
| Protocol | Port | Difficulty to Block |
|---|---|---|
| DNS-over-TLS (DoT) | 853 | Easy — just block port 853 |
| DNS-over-HTTPS (DoH) | 443 | Harder — same port as all HTTPS traffic |
DoT is straightforward to block because it uses a dedicated port. DoH is trickier because it uses port 443 — the same port as every secure website. You can’t block port 443 without breaking the internet.
Instead, we block specific IP addresses of known DoH providers.
Step 1: Block DNS-over-TLS (Port 853)
This is the easy win. Create a firewall rule to block all outbound traffic on port 853.
Generic Router Instructions
- Log into your router’s admin interface
- Find Firewall or Access Control or Traffic Rules
- Create a new outbound rule:
- Protocol: TCP
- Destination Port: 853
- Action: Block/Deny
- Save and apply
UniFi (Dream Machine / Dream Router)
- Go to Settings → Traffic & Security → Traffic Rules
- Click Create New Rule
- Configure:
- Name:
Block DNS-over-TLS - Action: Block
- Category: Port/IP Group
- Port: 853
- Protocol: TCP
- Apply to: All Devices (or specific groups)
- Name:
- Save
On UniFi, you can also create a Port Group containing port 853 and reference that in your rule. This makes it easier to manage multiple port blocks.
TP-Link / ASUS / Netgear
Most consumer routers have this under:
- Advanced Settings → Firewall → Outbound Rules
- Or Access Control → Rule-Based
Create a rule blocking TCP port 853 to any destination.
Step 2: Block Known DoH Provider IPs
This is where it gets more involved. We need to block connections to the IP addresses of major DoH providers.
Major DoH Providers to Block
Cloudflare (Most Common)
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844
Quad9
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9
OpenDNS
208.67.222.222
208.67.220.220
2620:119:35::35
2620:119:53::53
NextDNS
45.90.28.0
45.90.30.0
2a07:a8c0::
2a07:a8c1::
Creating the Firewall Rules
You’ll need to block connections to these IPs on port 443 (HTTPS). This prevents browsers from establishing DoH connections while still allowing normal HTTPS traffic to other sites.
UniFi Implementation
- Go to Settings → Profiles → IP Groups
- Create a new group called
DoH-Providers - Add all the IP addresses above
- Go to Traffic & Security → Traffic Rules
- Create a new rule:
- Name:
Block DNS-over-HTTPS - Action: Block
- Category: IP Group
- IP Group: DoH-Providers
- Port: 443
- Protocol: TCP
- Name:
- Save
Don't forget the IPv6 addresses! Modern devices often prefer IPv6, and if you only block IPv4, DoH will still work over IPv6.
pfSense / OPNsense Implementation
Create an Alias containing all DoH provider IPs:
- Go to Firewall → Aliases
- Create new alias:
DoH_Providers - Type: Host(s)
- Add all IP addresses
Create firewall rule:
- Go to Firewall → Rules → LAN
- Add rule at TOP of list (order matters):
- Action: Block
- Protocol: TCP
- Destination: DoH_Providers alias
- Destination Port: 443
Consumer Router Limitations
Most consumer routers (Netgear, TP-Link, ASUS) don’t support IP-based firewall rules on specific ports. Your options:
Block the IPs entirely — This breaks those DNS services completely, which might cause issues if any device relies on them for non-DoH purposes
Use Pi-hole’s blocklist — Add DoH hostnames to Pi-hole (covered below)
Upgrade your router — UniFi, pfSense, or OPNsense give you proper firewall control
Step 3: Block DoH Domains via DNS
Even if you can’t block IPs at the firewall, you can block DoH domains in your DNS filter. This works if devices still query your DNS for initial lookups.
Pi-hole Blocklist
Add these domains to your Pi-hole blocklist:
dns.google
dns.google.com
cloudflare-dns.com
one.one.one.one
dns.quad9.net
doh.opendns.com
dns.nextdns.io
doh.cleanbrowsing.org
mozilla.cloudflare-dns.com
In Pi-hole:
- Go to Domains → Add a domain
- Enter each domain
- Select Add to Blocklist
- Select Regex filter if you want to block subdomains too
This only works if browsers query your DNS first. Some browsers (especially Firefox) may use hardcoded IP addresses for their preferred DoH provider, bypassing DNS entirely. That's why firewall rules are more reliable.
Step 4: Block Firefox’s DoH Canary Domain
Firefox has a clever feature: it checks a special “canary” domain to see if the network wants to disable DoH. If this domain returns NXDOMAIN (not found), Firefox respects the network’s wishes and disables DoH.
The Canary Domain
use-application-dns.net
Add this to your Pi-hole blocklist. When Firefox queries this domain and gets blocked, it will disable DoH automatically.
This is the most elegant solution for Firefox users. Instead of blocking DoH traffic, you're telling Firefox "this network manages its own DNS" and Firefox cooperates.
Note: This only works for Firefox. Chrome and Edge don’t have an equivalent canary mechanism.
Step 5: Force All DNS Through Your Filter
As a belt-and-suspenders approach, you can redirect ALL DNS queries (port 53) to your filtered DNS server, regardless of what devices are configured to use.
UniFi DNS Redirect
On UniFi Dream Machine / Dream Router:
- Go to Settings → Traffic & Security → Traffic Rules
- Create a rule:
- Name:
Force DNS to Pi-hole - Action: Allow (with NAT)
- Destination Port: 53
- Translation: Your Pi-hole IP (e.g., 10.0.0.30)
- Name:
This intercepts any DNS query trying to go elsewhere and redirects it to your filtered DNS.
DNS redirect only catches traditional DNS on port 53. It does NOT catch DoH (port 443) or DoT (port 853). You still need the other rules.
Testing Your Blocks
After implementing these rules, test that they’re working:
Test DoT Block
From a device on your network, try:
dig @1.1.1.1 -p 853 +tls google.com
This should timeout or fail if port 853 is blocked.
Test DoH Block
Open Chrome and:
- Go to Settings → Privacy → Security → Use secure DNS
- Turn it on and select Cloudflare
- Try browsing to a site that should be blocked by your filter
- If your filter’s block page appears, DoH is being blocked successfully
Browser DoH Test Pages
- Cloudflare:
https://1.1.1.1/help— Should show “Using DNS over HTTPS: No” - Google: Visit
chrome://net-internals/#dns— Check “Secure DNS” status
Maintenance Considerations
New DoH providers appear regularly, and existing providers may add new IP addresses. Your blocklist will need periodic updates. Consider subscribing to blocklists that are maintained by the community.
Blocklist Sources
- OISD DoH blocklist: Community-maintained list of DoH providers
- NextDNS: Has built-in DoH blocking options
- GitHub: Search for “doh-blocklist” for regularly updated lists
When This Isn’t Enough
Even with all these measures, determined users can still bypass filtering:
- VPNs route all traffic (including DNS) through an external server
- Mobile data bypasses your home network entirely
- Tor Browser uses its own encrypted network
- SSH tunnels can carry DNS traffic
Content filtering is a speed bump, not a wall. It catches casual access and accidental exposure. For determined teenagers, it buys you time and creates friction — but conversations about online safety are still essential.
Need Help Implementing This?
If this guide feels overwhelming, or you want someone to configure this properly on your network, I can help. I’ll assess your current setup, implement the appropriate blocks for your router, and verify everything is working.
Professional Network Security Setup
- Audit your current DNS filtering setup
- Implement DoT and DoH blocks appropriate for your router
- Configure DNS redirect rules
- Test and verify blocks are working
- Document the configuration for future reference
or call 0489 998 445
Related reading
- Is Your Child Bypassing Your Internet Filter Right Now? — Understanding the bypass problem
- What Parents Need to Know About Secure DNS — Non-technical explainer
- Block Adult Content on Home WiFi (Free, 5 Minutes) — Setting up DNS filtering in the first place
Serving Geelong, Surf Coast, and Bellarine Peninsula.
Why Oh WiFi · 0489 998 445 · hello@whyohwifi.com.au