| ▲ | throw7 3 days ago | |
Does anyone know how to force disable DoH on a network? In https://support.mozilla.org/en-US/kb/canary-domain-use-appli... it says that the canary domain does not apply for users who have made the choice to turn on DoH by themselves. I want to avoid running an sslproxy, and it seems an application level proxy on the firewalls is necessary. | ||
| ▲ | xvdAZh 3 days ago | parent | next [-] | |
Outside of IP-blocking known popular DoH hosts (e.g. https://github.com/jameshas/Public-DoH-Lists, and even then it's not the best since there's overlap with popular DNS hosts like Cloudflare), there's no good way to do it without break-and-inspect. That's because DoH is TLS traffic over 443, just with DNS inside instead of HTTP. | ||
| ▲ | ndriscoll 2 days ago | parent | prev [-] | |
It should be possible to have a firewall rule to default deny outgoing connections and a DNS resolver that tells the firewall to allow a connection only after it has resolved it, but I don't know that there's anything off-the-shelf to do this yet. I imagine DoH providers are also either using known SNIs or ESNI, so you could block both of those. The former approach is where we need to go with security IMO. If you don't have some auditability for why a computer on your network is making an outgoing connection (and ability to inspect/refuse it before it happens), then it should just be blocked. There's no reason for computers you own to reach out to random IPs you don't understand and can't inspect at your gateway. Most computing devices are preloaded with malware these days and need to be treated as untrustworthy by default. | ||