Gotcha :)
On Wed, Oct 2, 2019 at 10:41 PM Vadim Pavlov wrote:
> You didn’t get the sarcasm in the previous email :)
> The issue is that you can not 100% block DoH w/o blocking HTTPs. You may
> block well-known domains and IPs but there are many unknown and for
> targeted attacks new servers can
You didn’t get the sarcasm in the previous email :)
The issue is that you can not 100% block DoH w/o blocking HTTPs. You may block
well-known domains and IPs but there are many unknown and for targeted attacks
new servers can be created even behind legit (but compromised) websites.
Vadim
> On O
On Wed, 2 Oct 2019 at 18:04, Blason R wrote:
>
> Block 443? Not even possible since most of the portals/web servers now a
days works on TCP/443
>
Pretty sure that's what he meant when he said: "This method of controlling
DoH may have side-effects."
___
Block 443? Not even possible since most of the portals/web servers now a
days works on TCP/443
On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg wrote:
> On 10/2/19 8:00 AM, Blason R wrote:
> > Hmm that is a good idea to block the DOH queries but what I understood
> > is blocking on perimeter level woul
On 10/2/19 8:00 AM, Blason R wrote:
> Hmm that is a good idea to block the DOH queries but what I understood
> is blocking on perimeter level would be more appropriate.
To nullify the abilities of DoH, you can block port TCP/443.
That is pretty much guaranteed to keep DoH from working, but you ma
Hmm that is a good idea to block the DOH queries but what I understood is
blocking on perimeter level would be more appropriate.
On Wed, Oct 2, 2019 at 4:58 PM Daniel Stirnimann <
daniel.stirnim...@switch.ch> wrote:
> You cannot block DoH with RPZ but you can block bootstrapping DoH if the
> web
Hi Blason,
depends on what you mean by “DoH”
You can disable the Mozilla automatic bootstrap with RPZ:
https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default
That’s the most lightweight option.
The most heavyweight would be a transparent MITM HTTPS proxy/firewal
You cannot block DoH with RPZ but you can block bootstrapping DoH if the
web browser is configured to use "normal" DNS to lookup the DoH
endpoint. See also:
https://github.com/bambenek/block-doh
Daniel
On 02.10.19 13:23, Blason R wrote:
> Hi Folks,
>
> Wondering if anyone has any clue or defini
Hi Folks,
Wondering if anyone has any clue or defining policies for blocking DoH [DND
Over HTTPS] traffic using bind RPZ feature?
Does anyone have any use case about it?
Thanks and Regards,
Blason R
___
Please visit https://lists.isc.org/mailman/listin
9 matches
Mail list logo
