DNS RPZ Protection From DoH

Blason R blason16 at gmail.com
Wed Oct 2 17:39:16 UTC 2019


Gotcha :)

On Wed, Oct 2, 2019 at 10:41 PM Vadim Pavlov <pvm_job at mail.ru> wrote:

> You didn’t get the sarcasm in the previous email :)
> The issue is that you can not 100% block DoH w/o blocking HTTPs. You may
> block well-known domains and IPs but there are many unknown and for
> targeted attacks new servers can be created even behind legit (but
> compromised) websites.
>
> Vadim
>
> On Oct 2, 2019, at 10:04, Blason R <blason16 at gmail.com> wrote:
>
> Block 443? Not even possible since most of the portals/web servers now a
> days works on TCP/443
>
> On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg <alan at clegg.com> wrote:
>
>> On 10/2/19 8:00 AM, Blason R wrote:
>> > Hmm that is a good idea to block the DOH queries but what I understood
>> > is blocking on perimeter level would be more appropriate.
>>
>> To nullify the abilities of DoH, you can block port TCP/443.
>>
>> That is pretty much guaranteed to keep DoH from working, but you may
>> want to test this solution in the lab before you deploy widely.
>>
>> This method of controlling DoH may have side-effects.
>>
>> AlanC
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191002/6bda2cbc/attachment.html>


More information about the bind-users mailing list