Going down the DoH wormhole....
-
It screams DPI
-
@deanfourie At one point a couple years ago I did try the pfBlocker method and had issues but I don't recall what they were, now. There is a pretty good writeup on https://github.com/jpgpi250/piholemanual...there is a long PDF for setting up pfSense to use the lists provided.
I have one system, the Dish satellite DVR, where the DVR seemingly uses DNS but its"video on demand" app uses only DoH so I had to allow that. :-/
-
@steveits said in Going down the DoH wormhole....:
app uses only DoH so I had to allow that
that is such BS!!
-
@johnpoz You don't want to know how long it took me to figure out that was the problem. :)
-
@deanfourie said in Going down the DoH wormhole....:
when I add devices?
That is the (only) solution.
Chose what you add to your networks.
After the classic questions as "is it useful" and "do I need it", just add "does it DoH". -
So, just back on this topic.
I'm looking into nDPI. As I use ntopng and really like its capabilities, this library actually looks rather promising and pretty solid!
https://github.com/ntop/nDPI
Whats your thought on installing this alongside pfSense, or even on a separate container?
-
@deanfourie said in Going down the DoH wormhole....:
https://github.com/ntop/nDPI
question for you - while doing dpi on ssl traffic might be viable for say a browser, where you can get the machine to trust your mitm being done. How is that suppose to work for say an iot device using doh?
-
@johnpoz well my guess is, and it is a guess at this stage.
But I would imagine it would then strip the packet down and inspect the header for a DNS request, because as I understand it still has a DNS request hidden inside the HTTPS packet.
Strip it down, and look for any HTTPS traffic with DNS matches and block it.
-
@deanfourie said in Going down the DoH wormhole....:
Strip it down
And again how is that going to be done - you can not do that without the encryption keys for the https session.. This one way to do that is known as man in the middle attack, etc. What can be done is trick the that you are who they are talking to via https, and they send you the stuff encrypted to you.. And then it gets sent on to where your really going via your guy in the middle.
Without that you would have to just plain out break the https encryption to view "inside", ie strip it down.. So how is that going to be done.. mitm is viable with a browser.. But not with iot stuff where you can not tell it to trust your mitm cert, etc..
IDS/IPS as a whole has less and less use with all traffic being encrypted..
Not saying you couldn't look for other patterns in the traffic and possible size of the packets used in talking to the doh server, without having to break the https encryption.. But if that was so easy - I would think it would be all over the place how to do, since many people are not fans of doh or dot..
But the idea off "stripping down" the https communication and looking inside is not so easy - if it was https would be pretty much useless..
-
@johnpoz Yes strip the SSL, inspect, re-encrypt.
Thats the plan. Surely this is possible. Once the SSL is stripped then we can do whatever we like with it.
Otherwise we will just let DoH fester and grow its AIDS inside our networks.
-
@deanfourie Normally MITM is achieved by installing a CA cert on each device and then creating "certificates" on the fly. Can be done on a PC but you can't really install your cert on an IoT device.
Easier to just block DoH per the above and then if you need to, allow a device to use it.
