DNS RPZ Protection From DoH
Vadim Pavlov
pvm_job at mail.ru
Wed Oct 2 17:11:06 UTC 2019
You didn’t get the sarcasm in the previous email :)
The issue is that you can not 100% block DoH w/o blocking HTTPs. You may block well-known domains and IPs but there are many unknown and for targeted attacks new servers can be created even behind legit (but compromised) websites.
Vadim
> On Oct 2, 2019, at 10:04, Blason R <blason16 at gmail.com> wrote:
>
> Block 443? Not even possible since most of the portals/web servers now a days works on TCP/443
>
> On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg <alan at clegg.com <mailto:alan at clegg.com>> wrote:
> On 10/2/19 8:00 AM, Blason R wrote:
> > Hmm that is a good idea to block the DOH queries but what I understood
> > is blocking on perimeter level would be more appropriate.
>
> To nullify the abilities of DoH, you can block port TCP/443.
>
> That is pretty much guaranteed to keep DoH from working, but you may
> want to test this solution in the lab before you deploy widely.
>
> This method of controlling DoH may have side-effects.
>
> AlanC
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191002/df397724/attachment-0001.html>
More information about the bind-users
mailing list