Adblocking does not work with doh and dot

[maltechx]

With the following config adblocking only works on normal dns not doh and dot.

.:53 https://.:443 tls://.:853 {
    tls fullchain.pem privkey.pem
    ads
    forward . 1.1.1.1
    errors
    reload
}

Basic Dns:

kdig @127.0.0.1 -p 1053 aoredi.com +short
127.0.0.1

DNS over TLS:

kdig @127.0.0.1 +tls-host=localhost  aoredi.com +short
109.206.162.83

Am I doing something wrong or is this intended?

[c-mueller]

Hey there,
first of all thanks for submitting this issue. This is in fact not indended, finding the cause for this is probably a nightmare, because i thought CoreDNS itself would handle the http/tls termination and every call to the plugin would be identical no matter where it originated from. I would presume this assumption was wrong otherwise this would not occur.

However there is a workaround to this which has worked for me in the past, at least for DoT. I will look up the config file later and post it here. The main idea is to open a regular DNS endpoint and DoH / DoT forward to this DNS endpoint. Of course this has some drawbacks but it worked for me some time ago.

The main reason why i am referring to the workaround is a lack of time from my side to fix this issue in the near future. There are just many things that are more important at the moment.

[c-mueller]

Heres the sample Corefile for the workaround. The last time i used this was with CoreDNS version 1.6.x

tls://.:853 {
        forward . 127.0.0.1:4053
        tls cert.crt prvkey.key
}

.:4053 {
        ads
        forward . 1.1.1.1
        cache 600
        errors
}