@johnpoz said in Could interface-automatic block pfSense Unbound Resolver from running proper DoH server?:
@ddoh94 said in Could interface-automatic block pfSense Unbound Resolver from running proper DoH server?:
version of Unbound to accept DoH (DNS over HTTPS)
Pretty sure unbound requires nghttp2 to do doh, is that available in pfsense? I have never looked into it very deep because well not really of fan of either dot or doh.. Other than blocking it from my clients using it ;) I have zero use for either of them...
Sorry, I’m little bit shocked about You: with a so lot of knowledge, ignoring the fact that DoH/DoL become standard (because incredibly rapidly growing numbers of DNS-related attacks in both on private business/industrial and government level) - that’s looks like no having “bird view” what happened in communication world. Am I wrong ?
Take my apologies again, I appreciate You in general.
While they might have some use in some scenarios.. The way browsers are forcing use of doh on users that have no clue is not good.. And the way it can be leverage to circumvent local dns controls is again not good..
But IN EVERYDAY’S REALITY most browsers (Safari, Chrome, Firefox) extensively using DoT/DoH.
So this is reality (also like TTL of DNS records decreasing year by year) in which we may live.
Other than a learning exercise I can really not see a scenario where I would want to use doh locally.. Who would be sniffing dns traffic on my local secure network?? Other than me??
For example: any black hacker, that compromise one node and obtain access to one of pfSense’s internal LANs. And this is not only about CARP.