DNS-over-HTTPS Block List

doh-blocklist.txt

# Here are some domains I block to interfere with DNS-over-HTTPS, so that my own DNS-based security schemes work.
# If you're going to be doing this, you should probably block all outbound 53, 853, and 5353 on your network,
# except from your own internal DNS resolver (eg. pihole)
#
# Data from https://github.com/curl/curl/wiki/DNS-over-HTTPS  (and other places)

1a.ns.ozer.im
8888.google
aattwwss.duckdns.org
abel.waringer-atg.de
a-bld.sys-adm.in
ad1.heronet.nl
adblock.doh.mullvad.net
adblock.mydns.network
addns.jpr.space
adgaurd.lingmont.net
adg.geili.me
adg.jnorton.us
adguard1.jsanagustin.net
adguard1.leadmon.net
adguard.ambiya.net
adguard.avdkishore.dev
adguard.beliefanx.cn
adguard.bitteeinbyte.de
adguard.dekonix.ru
adguard.depieri.net
adguard.dessoi.cloud
adguard-dns.rouga.ch
adguard.dtness.com
adguard.ef67daisuki.club
adguard.ender.fr
adguard.firestrike-services.de
adguard.frece.de
adguard.gbrossi.com.br
adguard.haneulo.com
adguardh.ga
adguard.ihatemy.live
adguard.jfchenier.ca
adguard.josephyap.me
adguard.jpjb.net
adguard.korks.tk
adguard.laurenlaufman.com
adguard.lege.despagne.net
adguard.lspcr.space
adguard.meddy94.de
adguard.mokocup.cf
adguard.piekacz.pl
adguard.rabmoor.cz
adguard.randomaizer.lentel.ru
adguard.richardapplegate.io
adguard.shuting.idv.tw
adl.adfilter.net
ag.ff0x.ca
ag.ssrahul96.xyz
aihe.app
airmaxcloud.ml
ant.dns.qwer.pw
apne1.dns.terumi.club
applied-privacy.net
area51.mywire.org
armorrush.eu.org
au01.dns4me.net
au02.dns4me.net
awan.ftp.sh
axaxa.fun
basic.rethinkdns.com
bcandrade.ml
blackhole.gugainfo.com.br
blackhole.myon.lu
bld.sys-adm.in
blitz.ahadns.com
block.abstergo.it
blockerads.multimediaconcept.fr
bluemood.me
ca01.dns4me.net
ca02.dns4me.net
canadianshield.cira.ca
captnemo.in
c.cicitt.ch
cdzopi.duckdns.org
chewbacca.meganerd.nl
cintra.ml
clientdns3.softcom.net
cloudflare-dns.com
cloudns.bosco.ovh
cloud.tezoi.com
cluster-0.gac.edu
cluster-1.gac.edu
commons.host
cossxiu.ga
cvt-ic-us-adns-001.clearviewtechnology.net
d.apemlegit.my.id
darkness.is.my.waifu.cz
dart.kpsn.org
de.teradns.org
dgca.myds.me
digitale-gesellschaft.ch
dns01.flm9.net
dns0.eu
dns.0ooo.icu
dns0.tardishost.ru
dns10.quad9.net
dns11.quad9.net
dns1.adrianion.eu
dns1.dnscrypt.ca
dns1.in-berlin.de
dns1.irumatech.com
dns1.tardishost.ru
dns2.afastserver.com
dns2.cbio.top
dns.52306.org
dns.5ososea.com
dns64.cloudflare-dns.com
dns64.dns.google
dns.7vpn.com
dns.886886886.xyz
dns8.org
dns9999.duckdns.org
dns9.quad9.net
dns.aaflalo.me
dns.aa.net.uk
dns.aaytorr.com
dns.adguard.com
dns.adrianlam.com
dns.alidns.com
dns.alloxr.info
dns.almir1904.eu
dns.amigo-mgn.ru
dns.andrewnw.xyz
dns.apigw.online
dns.artikel10.org
dns.b33.space
dns.b612.me
dns.bebasid.com
dns.belnet.be
dns.benpro.fr
dns.bitdefender.net
dns.blokada.org
dns.bobstrecansky.com
dns.brahma.world
dns.brian-hong.tech
dns.bw.i81.ru
dns.carson-family.com
dns.chenu.ch
dns.chromeina.top
dns.circl.lu
dns.clanless.ovh
dns.comeonjames.club
dns.comss.one
dns.connect.fail
dns.containerpi.com
dns.cwlys.com
dns.d365.in
dns.d94.xyz
dns.d96.info
dns.daw.dev
dns.decloudus.com
dns.deekshith.in
dns.dgea.fr
dns.digitale-gesellschaft.ch
dns.digitalsize.net
dns.dnshome.de
dns.dns-over-https.com
dns.dnsoverhttps.net
dns.dnswarden.com
dns-doh.dnsforfamily.com
dns.dutchwhite.nl
dns-east.tylerwahl.com
dns.edison42.dev
dns.elemental.software
dns.ellichua.com
dns.emiliyan.com
dnsenc.com
dns.esegece.com
dns.extrawdw.net
dns.familiamichels.com.br
dns-family.adguard.com
dns-family.esegece.com
dns.fancyorg.at
dns.faze.dev
dns.filipccz.eu
dns.flatuslifir.is
dns.flymc.cc
dnsforge.de
dns.froth.zone
dns.gnb09.id
dns.google
dns.google.com
dns.ha-dvin.pp.ua
dns.hafidzradhival.my.id
dns.hahnjo.de
dns.hanmey.de
dns.haoxuan.xyz
dns.hee.ink
dns.herkhof.nl
dns.hinet.net
dns.hostux.net
dns.iamninja.ru
dns.ikataruto.com
dns.imaicool.com
dns.indust.me
dns.invisv.com
dns.ipv6dns.com
dns.itdept.pro
dns.joaofidelix.com.br
dns.jucker.engineering
dns.kamilszczepanski.com
dns.karl.one
dns.kawa.tf
dns.kernel-error.de
dns.kescher.at
dns.keweon.center
dns.lars-lehmann.net
dns.linkr.ninja
dnslow.me
dns.lsho.top
dns.maolaohei.xyz
dns.meeo.win
dns.mgiptvpro.ml
dns.mikeliu.org
dns.mipauns.com
dns.molinero.dev
dns.moog.sh
dns.moonssif.com
dns.msxnet.ru
dns.murgi.de
dns.muxinghe.cn
dns.mzrme.cn
dns.nas-server.ru
dns.neubsi.at
dns.nextdns.io
dns.nhtsky.com
dns.njal.la
dnsnl.alekberg.net
dnsnl-noads.alekberg.net
dns.norvig.dk
dns.novali.date
dns.novg.net
dns.nullgate.net
dns.nullrecon.com
dns-nyc.aaflalo.me
dns.ofdoom.net
dns.opendns.com
dns.opnsource.com.au
dns.paesa.es
dns.panszelescik.pl
dns.porteii.com
dns.privilab.net
dns.pub
dns.quad9.net
dns.rafn.is
dns.reckoningslug.name
dns.rin.sh
dns.ronc.ru
dns.rotunneling.net
dns.rubyfish.cn
dnsse.alekberg.net
dns-secondary.cloudnx.cloud
dns.sellan.fr
dnsse-noads.alekberg.net
dnsserver.mailchan.eu
dns.shecan.ir
dns.shimul.me
dns.silen.org
dns.silentlybren.com
dns.siry.de
dns.skrep.eu
dns.slinkyman.net
dns.spil.co.id
dns.startupstack.tech
dns.stvsk.ml
dns.surfshark.com
dns.switch.ch
dns.syaifullah.com
dns.t53.de
dns.techcpu.net
dns.telekom.de
dns.therifleman.name
dns.tls-data.de
dnstls.mobik.com
dns.truong.fi
dns.twnic.tw
dns.umbrella.com
dns.unerror.network
dns.vinnyp.xyz
dns.vmath.my.id
dnsvps.familiamv.ml
dns.wakgood.net
dns.youni.win
dns.zfsystem.tech
dog.dns.qwer.pw
doh003.280blocker.net
doh-01.spectrum.com
doh-02.spectrum.com
doh1.b-cdn.net
doh2.gslb2.xfinity.com
doh-2.seby.io
doh.360.cn
doh.42l.fr
doh.applied-privacy.net
doh.armadillodns.net
doh.beauty
doh.boje8.me
doh.bortzmeyer.fr
doh.bt.com
doh.buzz
doh.captnemo.in
doh.ccb-net.it
doh.centraleu.pi-dns.com
doh-ch.blahdns.com
doh.cleanbrowsing.org
doh.cloud-sekeng.com
doh.crypto.sx
doh.datacore.ch
doh.datahata.by
doh-de.blahdns.com
doh.disconnect.app
doh.dns4all.eu
doh.dns.apple.com
doh.dnslify.com
doh.dns.sb
dohdot.coxlab.net
doh.dscloud.me
doh.eastus.pi-dns.com
doh.familyshield.opendns.com
doh.ffmuc.net
doh-fi.blahdns.com
doh.futa.gg
doh.gcp.pathofgrace.com
doh.ibr.cs.tu-bs.de
doh.iucc.ac.il
doh.jeroenhd.nl
doh-jp.blahdns.com
doh.killtw.im
doh.lacontrevoie.fr
doh-lb-atl.dnsflex.com
doh-lb-br.dnsflex.com
doh-lb-ca-tor.dnsflex.com
doh-lb-de.dnsflex.com
doh-lb-gb.dnsflex.com
doh-lb-in.dnsflex.com
doh-lb-sg.dnsflex.com
doh-lb-tr.dnsflex.com
doh.li
doh.libredns.gr
doh.luigi.nexific.it
doh.lujiacai.top
doh.lv
doh.mullvad.net
doh.nic.lv
doh.niyawe.de
doh.nl.ahadns.net
doh.northeu.pi-dns.com
doh.onedns.net
doh.opendns.com
doh.powerdns.org
doh-primary-pool.detoxifypornblocker.com
doh.pyry.me
doh.rezhajul.io
doh.safesurfer.io
doh.sb
doh.seby.io
doh-sg.blahdns.com
doh.syshero.org
doh.tiarap.org
doh.tiar.app
doh.totoro.pub
dohtrial.att.net
doh.westus.pi-dns.com
doh.xcom.pro
doh.xfinity.com
do.shimul.me
dotdns.cryptroute.com
doth.huque.com
d.toairs.com
dukun.de
easyhandshake.com
echoe1yidzu4ioo5.myfritz.net
edgy-dns.com
esel.stusta.mhn.de
eu1.dns.lavate.ch
eweyo.duckdns.org
example.doh.blockerdns.com
externalmobiel.lekdijk.online
family.5ososea.com
family.canadianshield.cira.ca
family.cloudflare-dns.com
felipefalcao.me
fi.doh.dns.snopyta.org
findmethedns.info
fra1.eyecay.xyz
fr-dns1.bancuh.com
freedns.controld.com
freedom.mydns.network
free.shecan.ir
frog.dns.qwer.pw
fuchur.pentament.de
galileo.math.unipd.it
gateway.fomichev.cloud
gclouddns.com
groupy.ga
guard.sntrk.ru
gustamadh.dynv6.net
gztech.me
hitian.me
hk2.ooroot.com
hole.elbschloss.xyz
home27.duckdns.org
home.dlinkddns.com
home.marcrnt.de
ibksturm.synology.me
ibuki.cgnat.net
ihctw.synology.me
ines.zfn.uni-bremen.de
intertop.link
iris.woozeno.eu
irre.li
jackyes.ovh
jcdns.fun
jp2.ooroot.com
jp.68360612.xyz
jp-dns1.bancuh.com
jpdns.cola16.app
jp.dns.ikataruto.com
jp.kano.sh
jp.tiarap.org
jp.tiar.app
jurre-home.duckdns.org
kaitain.restena.lu
karimdns.com
keithchung.hopto.org
kennethhuang.com
kids.5ososea.com
kids.dns0.eu
korzhov.dev
kr1.ooroot.com
kr2.ooroot.com
kr.pigs.eu.org
krtekvpn.duckdns.org
kswro.web.id
lastentarvike.fi
leecurrylawfirm.com
lindung.pp.ua
lion.dns.qwer.pw
lion.yazilimatolye.com
mail.data.haus
mailer.amlegion.org
mainframe.dewed.de
masters-of-cloud.de
mozilla.cloudflare-dns.com
msr177.com
muc-ns01.ibytex.systems
muli.stusta.mhn.de
n0.eu
n.3363.net
n5.lsasss.com
nas1403.duckdns.org
ninny.duckdns.org
ns.00dani.me
ns1.1899.com.mx
ns1.dotls.org
ns1.flodns.net
ns1.qquack.org
ns2.1899.com.mx
ns2.flodns.net
ns3.bit-trail.nl
ns3.com
ns3.cx
ns3.link
n-wan.dynv6.net
ny.teradns.org
nz01.dns4me.net
o1.lt
odvr.nic.cz
odvr.nic.cz 
one.one.one.one
open.dns0.eu
opennic1.eth-services.de
opennic.i2pd.xyz
oraclejp2.chungyu.com
orau.lz0724.com
ordns.he.net
o.rsaikat.com
osefcorp.duckdns.org
pdns.faelix.net
per.adfilter.net
pi1.node15.com
pihole1.hoerli.net
pihole2.hoerli.net
pihole3.hoerli.net
pihole4.hoerli.net
pihole.aws.ketan.dev
pihole.datamatter.co.za
pope.cnblw.me
premiumtier-network.instadart.net
private.canadianshield.cira.ca
project-evoex.de
pro.shecan.ir
protected.canadianshield.cira.ca
ps1.modr.club
public.dns.iij.jp
punono.duckdns.org
puredns.org
qlf-doh.inria.fr
r1bnc.com
rayneau.fr
rdjdns.ajraspi.xyz
rdns.faelix.net
res-acst1.absolight.net
res-acst2.absolight.net
res-acst3.absolight.net
resolver1.absolight.net
resolver2.absolight.net
resolver3.absolight.net
resolver-eu.lelux.fi
resolver.noaddns.com
resolver.r0cket.net
resolver.rferee.dev
resolver.unstoppable.io
rjmva.com
sa01.dns4me.net
safe.kswro.web.id
safeservedns.com
sagutxustech.com
sbdns.co.in
sby-doh.limotelu.org
secure.avastdns.com
securedns.vendorvista.xyz
securenet.mhsystems.net
secure.onedns.cc
security.cloudflare-dns.com
sg01.dns4me.net
sg2.ooroot.com
sg-dns1.bancuh.com
sgpcloud.duckdns.org
sg.teradns.org
shalenkov.dev
shield.afixer.app
sink.nolo.ltd
sitdns.com
sky.rethinkdns.com
surt.ml
syd.adfilter.net
t2c.240130034.xyz
testaghome.meshkov.info
thanos.pleumkungz.com
tiger.dns.qwer.pw
timmes.nl
tj.jamesxue.xyz
tk31z.com
tlz.asia
toaster.lol
tor.vasi.li
ttag.dns.nomu.pw
tuandns.duckdns.org
tungdnsne.duckdns.org
tw2.ooroot.com
tx.teradns.org
typaza.com
ueni.dyndns.org
uk01.dns4me.net
unfiltered.adguard-dns.com
unixfox.duckdns.org
us01.dns4me.net
us02.dns4me.net
us1.blissdns.net
us-ny-alula.heliumcloud.cc
virga.pp.ua
vm.mytm.cc
vvmm.me
wantaquddin.com
www.c-dns.com
www.dnsadguard.co.uk
www.elshad-adgh-dns.ru
www.ggrbb.xyz
www.morbitzer.de
www.muxyuji.ru
xenergy.cc
xray.krnl.eu
yarp.lefolgoc.net
ychen.cf
ychen.ga
yovbak.com
zero.dns0.eu
zrh1-ns01.monzoon.net
zxcvb.pp.ua

Not sure if you are still keeping this list updated, but if so, here are some that need to be removed.

The DNS query name does not exist: fi.doh.dns.snopyta.org. [for Block_DOH]
The DNS query name does not exist: adblock.mydns.network. [for Block_DOH]
The DNS query name does not exist: dns.containerpi.com. [for Block_DOH]
The DNS query name does not exist: dns.flatuslifir.is. [for Block_DOH]
The DNS query name does not exist: doh.armadillodns.net. [for Block_DOH]

Thanks. I'll probably review the list of DOH servers soon; for my purposes it doesn't hurt to have these names in my block list, whether or not they're in use.

Nice! Thank you!

Could you please move this to a Git repository so updates can be pulled from a static address.

https://gist.githubusercontent.com/ckuethe/f71185f604be9cde370e702aa179fc2e/raw/ always points to the most current version - just delete the stuff after /raw/ . That trick works best for any gist with a single file

This was really helpful. Thank you.

https://github.com/curl/curl/wiki/DNS-over-HTTPS

List of over 500 DoH domain you can block. A script to scrape all the domains on that list is at the bottom.

Thank you @serendrewpity

How would you use this scrape tool to generate the text file? Can you put this on GIT to make it accessible for us n00bs?

HI

Do we have any list like this for website categories?

Thank you

Hello 2024, I am attempting to make this more streamlined. Please help me make this the best DoH pihole blocklist: https://github.com/Bryantdl7/pihole-blocklists/blob/main/dns-https-block.txt

Hello 2024, I am attempting to make this more streamlined. Please help me make this the best DoH pihole blocklist: https://github.com/Bryantdl7/pihole-blocklists/blob/main/dns-https-block.txt

If you're going to do a wildcard on apple-dns, you might want to do a wildcard on doh.*, dns* and any other obvious patterns.

You'll still need to block communications to any resolver from anything other than your intended internal DNS. Chromecasts, for example, are hard-wired to google dns. A few other things will also try to fall back to public resolvers if they get NXDOMAIN or whatever from DHCP DNS.