top | item 25314747

(no title)

Dahoon | 5 years ago

>I'm lucky enough to be able to direct ALL DNS through my router first

Even DNS over HTTPS? Do you do packet inspection? Just blocking ports doesn't do much any more. I run an IDS/IPS and it blocks lots of DoH to Google. Apple devices are even worse.

discuss

sbarre|5 years ago

Would you mind sharing a bit more detail on your setup?

low_key|5 years ago

I'm not sure what the commenter's setup is, but I have one that (at least mostly) achieves the same thing. It is a combination of a few things:

1. Redirect all outbound DNS traffic to your own local DNS server (as described in the link in this post) 2. Return NXDOMAIN for well-known DoH domains [1] (as well as "use-application-dns.net" for well-behaving software like Firefox [2]) 3. Block traffic to well-known DoH providers by destination IP address [1]

[1] https://github.com/bambenek/block-doh [2] https://support.mozilla.org/en-US/kb/configuring-networks-di...

ianai|5 years ago

I’m interested too.

bitlevel|5 years ago

Not DNS over HTTPS currently, although investigating a way to MitM the connections with a proxy.