DNS-over-HTTPS (DoH) providers not classified as "Proxy & VPN" or similar

Thank you for getting these in there.

That being said, I noticed a couple of issues with the changes that were made:

The following was not correctly categorized as a “Proxy & VPN”. I suspect that the custom port number is causing some difficulty with the import.

• https://doh.seby.io:8443/dns-query

You can still use the following settings in Mozilla Firefox’s about:config page to bypass the CleanBrowsing Family Filter

• “Setting”, “Value”
• “network.trr.mode”, 2
• “network.trr.uri”, “https://doh.cleanbrowsing.org/doh/security-filter/”
• “network.trr.custom_uri”, “https://doh.cleanbrowsing.org/doh/security-filter/”
• “browser.startup.homepage”, “http://www.exampleadultsite.com/|https://www.dnsleaktest.com/|https://www.google.com/”
• “browser.startup.page”, 1

You may have to refresh the page after starting up the browser, but the example adult site loads even when the host operating system has been configured to use CleanBrowsing’s Family Filter.

If CleanBrowsing were to move the DoH service for Security Filtering to a different domain, you should be able to correctly classify it as a “Proxy & VPN” without affecting the other DoH services that enforce adult-content filtering.
For Example:

• From:
  https://doh.cleanbrowsing.org/doh/security-filter/
• To:
  https://security-filter-doh.cleanbrowsing.org/doh/security-filter/
  OR
  https://security-filter-doh.cleanbrowsing.org/

While you are at it, “security-filter-dns.cleanbrowsing.org” should be classified as a “Proxy & VPN” as well.

The other DNS over TLS services are also lacking categorization, but at least they are on separate domains and block adult-content:
https://cleanbrowsing.org/guides/dnsovertls

I expect that such a drastic change in service offerings is a tough move to make for CleanBrowsing. If I were them, I’d probably create custom block page to ensure users of the old DoH service (doh.cleanbrowsing.org) are informed of the pending service change. By monitoring the traffic flowing in, you can better decide whether to block/redirect more content categories (increasing the number of people who will get the message). By starting with the more technical categories, you can target the techies first. Quite frankly, all of the service offerings should be on different domains similar to what they did for the DNS over TLS service. Speaking of which…

I have since found several other sites that offer DNSCrypt, DNS over TLS, and DoH services. They should all be classified as “Proxy & VPN”

The following was sourced from: https://blog.cloudflare.com/welcome-hidden-resolver/

• tor.cloudflare-dns.com

The following were sourced from: https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json

• ads-doh.securedns.eu
• dns.twnic.tw
• dns2.developer.li
• doh-ipv6.crypto.sx
• ea-dns.rubyfish.cn
• edns.233py.com
• jp.gridns.xyz
• ndns.233py.com
• public.dns.iij.jp
• sdns.233py.com
• sg.gridns.xyz
• uw-dns.rubyfish.cn
• wdns.233py.com

The following was sourced directly from: https://blahdns.com/

• dot-ch.blahdns.com

The following was sourced from: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

• 2.dnscrypt-cert.oszx.co
• dns-tls.bitwiseshift.net
• dns.bitgeek.in
• dns.larsdebruin.net
• dns.neutopia.org
• dnsotls.lab.nic.cl
• dnsovertls.sinodun.com
• dnsovertls1.sinodun.com
• dnsovertls2.sinodun.com
• dnsovertls3.sinodun.com
• dot-de.blahdns.com
• dot-jp.blahdns.com
• dot.securedns.eu
• dot1.appliedprivacy.net
• dot1.dnswarden.com
• dot2.dnswarden.com
• getdnsapi.net
• iana.tenta.io
• kaitain.restena.lu
• ns1.dnsprivacy.at
• ns2.dnsprivacy.at
• opennic.tenta.io
• privacydns.go6lab.si
• tls-dns-u.odvr.dns-oarc.net
• unicast.censurfridns.dk

The following was sourced from: https://blog.uncensoreddns.org/dns-servers/

• bornfiber.anycast.censurfridns.dk
• deic-lgb.anycast.censurfridns.dk
• deic-ore.anycast.censurfridns.dk
• kracon.anycast.censurfridns.dk
• rgnet-iad.anycast.censurfridns.dk
• solido.anycast.censurfridns.dk

The following was sourced from: https://servers.opennic.org/

• 2.dnscrypt-cert.ns3.ca.luggs.co
• 2.dnscrypt-cert.ns4.ca.luggs.co
• 2.dnscrypt.cert.jolteon.boothlabs.me
• jolteon.boothlabs.me
• 2.dnscrypt-cert.ns2.developer.li
• 2.dnscrypt-cert.opennic.i2pd.xyz
• 2.dnscrypt-cert.ns1.developer.li
• 2.dnscrypt-cert.ns3.ca.luggs.co
• opennic.peer3.famicoman.phillymesh.net
• 2.dnscrypt-cert.opennic.peer3.famicoman.phillymesh.net
• nl.public-dns.lchimp.com
• dnscrypt.nl.public-dns.lchimp.com

The following are general web proxies sourced from: https://wiki.opennic.org/

• proxy.opennic.org
• proxy.dnslibre.com.mx

Most of the DNS over TLS domains I submitted earlier do not appear to have been re-classified yet.
I suspect this is because the protocol runs over a different port. By default, the port is 853. (https://tools.ietf.org/html/rfc7858#section-3.1)

There are a few new DoH providers that should be re-classified as proxy/VPNs:

• https://doh.xfinity.com/dns-query
• https://dohdot.coxlab.net/dns-query
• https://doh-fi.blahdns.com
• https://doh.applied-privacy.net/query
• https://dns.twnic.tw/dns-query
• https://example.doh.blockerdns.com/dns-query

I recommend monitoring the Curl project’s WIKI (https://github.com/curl/curl/wiki/DNS-over-HTTPS/) for changes using GitHub’s revision comparison feature:

• Example:
  https://github.com/curl/curl/wiki/DNS-over-HTTPS/_compare/45717f9ac28d390f41d5d94df648884de832dc92…ded07255b2d8f8e5dec36f4aef09cc924a4b35a6?short_path=5b6d16d#diff-5b6d16d50a79837331d97fff4d83ef1f

Sadly, no. The following DoH and DoT providers are still not blocked:

• 2.dnscrypt-cert.ns1.developer.li
• 2.dnscrypt-cert.ns2.developer.li
• 2.dnscrypt-cert.ns3.ca.luggs.co
• 2.dnscrypt-cert.ns4.ca.luggs.co
• 2.dnscrypt-cert.opennic.i2pd.xyz
• 2.dnscrypt-cert.opennic.peer3.famicoman.phillymesh.net
• 2.dnscrypt-cert.oszx.co
• 2.dnscrypt.cert.jolteon.boothlabs.me
• ads-doh.securedns.eu
• bornfiber.anycast.censurfridns.dk
• deic-lgb.anycast.censurfridns.dk
• deic-ore.anycast.censurfridns.dk
• dns-tls.bitwiseshift.net
• dns.bitgeek.in
• dns.flatuslifir.is
• dns.larsdebruin.net
• dns.neutopia.org
• dns.twnic.tw
• dns2.developer.li
• dnscrypt.nl.public-dns.lchimp.com
• dnsotls.lab.nic.cl
• dnsovertls.sinodun.com
• dnsovertls1.sinodun.com
• dnsovertls2.sinodun.com
• dnsovertls3.sinodun.com
• doh-fi.blahdns.com
• doh-ipv6.crypto.sx
• doh.applied-privacy.net
• doh.blockerdns.com
• doh.dnslify.com
• doh.xfinity.com
• dohdot.coxlab.net
• dot-ch.blahdns.com
• dot-de.blahdns.com
• dot-jp.blahdns.com
• dot.securedns.eu
• dot1.appliedprivacy.net
• dot1.dnswarden.com
• dot2.dnswarden.com
• ea-dns.rubyfish.cn
• edns.233py.com
• getdnsapi.net
• iana.tenta.io
• jolteon.boothlabs.me
• jp.gridns.xyz
• kaitain.restena.lu
• kracon.anycast.censurfridns.dk
• mozilla.cloudflare-dns.com
• ndns.233py.com
• nl.public-dns.lchimp.com
• ns1.dnsprivacy.at
• ns2.dnsprivacy.at
• odvr.nic.cz
• opennic.peer3.famicoman.phillymesh.net
• opennic.tenta.io
• privacydns.go6lab.si
• private.canadianshield.cira.ca
• protected.canadianshield.cira.ca
• public.dns.iij.jp
• rgnet-iad.anycast.censurfridns.dk
• sdns.233py.com
• security.cloudflare-dns.com
• sg.gridns.xyz
• solido.anycast.censurfridns.dk
• tls-dns-u.odvr.dns-oarc.net
• unicast.censurfridns.dk
• uw-dns.rubyfish.cn
• wdns.233py.com
• <i>security-filter-dns.cleanbrowsing.org</i>

Additionally, the previously mentioned Firefox settings illustrate the fact that the DoH services offered by CleanBrowsing for basic security filtering can be used to circumvent the Family Filter DNS service offered by CleanBrowsing over the regular DNS protocol. Solving this issue would require adjustments to the domain names used to offer the DoH service and classifying them accordingly. While separate domains were correctly used for DNS over TLS, the Security Filter is not yet classified as a VPN or Proxy.