Recently I observed that many of my IoT devices and mobile applications try to use 3rd party DNS and bypass my local DNS. I counteracted this with a NAT rule that redirects port 53 to my local DNS server.
But what about DNS over https. Using a IP blocklist is not ideal since the underlying IPs may change. Using a fully qualified domain name list would be much more flexible.
While it is not officially stated it is in fact possible to use fqdn lists such as this one with OPNsense by just using the
URL Table (IPs) type for an alias in OPNsense.
We can verify that it works in the Firewall -> Diagnostics -> Aliases section, where we see that the fqdns get resolved into IPs.
What a nice undocumented feature which can of course be used for many other use cases. 😎
While it's less bullet proof than using suricata or other L7 features it doesn't come with the performance penalties of such tools and is more reliable than pure DNS based blocking.