DoH list

jrey

@JonathanLee

I'm assuming you are DNSBL ing these names,

I run it for a while and see if it picks up anything different than the list I already use..

Current List

Your list

This might be fun. Because it should (in theory) for those actors using the name vs a direct IP, cause a shift in the hit counts from current list to the name list ..

JonathanLee

@jrey Wow you got a big list

JonathanLee

@jrey any change? Can you please send me the list you use if you can access the text file..

Gertjan

@JonathanLee

Firewall > pfBlockerNG > DNSBL > DNSBL SafeSearch ?

jrey

@JonathanLee

Not prepared to give away all the tricks but my graylog - realtime DNSBL logging is showing a few records from your list - I won't have a clear set of numbers until there is more activity Monday to Friday..

your list is the "orange" section on the pie

darcey

@JonathanLee My approach to blocking DoH has been to use IP blocking rather than DNSBL. I'd be interested in knowing the pros & cons of each. It hadn't occurred to me to do it via DNSBL.

jrey

@darcey said in DoH list:

I'd be interested in knowing the pros & cons of each

Too soon to say, but in theory, the names they encode are pretty static, the IP's they point those name to can change in a heart beat... so ....

The best approach for those interested in blocking this, might actually be a combo of both.

Traffic is lower here on a Saturday, so far I haven't noticed a significant shift of blocking from my IP list to @JonathanLee name list. Graylog will tell me if/when it does.
It's also possible the shift may be small if the names are already in another list.. Again once I have a larger volume of data in Graylog I'll be able to match the list by names blocked and see

from Graylog the DNSBL_DoHName is Jonathan's list

Each to their own.

JonathanLee

@Gertjan do you possibly have the URL or text file that is used, this list is massive compared to mine, again a lot of mine was manually done and a lot added on from other lists.

JonathanLee

@jrey so you are getting hits from mine. That token one came from a blacklist doh category. I thought it would have been some mask.apple-dns.net one they are really pushing this one right now manual set dns or not. I have a regex for it they seem to make a new one every couple months

JonathanLee

Researched and found this..

No longer working:
https://heuristicsecurity.com/dohservers.txt
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt

Still active:

You can also block all public DNS IPs with this feed:
https://public-dns.info/nameservers.txt

https://github.com/dibdot/DoH-IP-blocklists/blob/master/doh-domains.txt

darcey

@jrey said in DoH list:

The best approach for those interested in blocking this, might actually be a combo of both.

I guess it depends how applications, that make use of DoH, determine DoH server IP. I'd completely overlooked the fact that some|most might arrive at this via a regular DNS query. If that is the case for all apps using DoH, then it would seem DNSBL is an appropriate way to block.
AIUI some of the DoH IPs serve stuff other than DoH. The pihole discourse cdn is one case, I believe!
But I suppose there are applications discovering a DoH server IP in ways other than a regular DNS lookup.

jrey

@JonathanLee

I wonder if the mask.apple.... is blocked without logging because it is already on this list

pfBlockerNG -> DNSBL -> DNSBL SafeSearch

JonathanLee

Unbound Resolver can also be configured to use DoH, it works with advanced config. Again would other DoH requests still get around it? Again I wonder about a snort ips/ids signature to see any DoH request. I don’t think it is possible

jrey

@JonathanLee

Sure enough
I unselected it from the list above, reload the DNSBL then dig it
shows up logged from your list ..

difference is when on the DNSBL Safesearch above and you dig (not logged in DNSBL, is logged in dnsreply )
because you get NXDOMAiN

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;mask.apple-dns.net.		IN	A

When it is not on the list above it falls to your list, is logged and returns

;; ANSWER SECTION:
mask.apple-dns.net.	60	IN	A	10.10.10.1

That being the case the place to put this might be better in the SafeSearch above and not a special DNSBL blocking -- Clearly the NXDOMAIN interception point before user defined DNSBL lists, would cause the (application/website) whatever to not try and get a response from 10.10.10.1 ?

Since the only one from your list that has been logged here is token.safebr.. I might like to confirm next that it is actually DoH traffic going to/from there? Have you?

guess I'll have to look at pulling realtime dnsreply logs in to graylog so I can make another pretty graph lol -

michmoor

@jrey what GROK patterns are you using for dnsbl?

jrey

@michmoor

umm, you can write your own you know..

funny, and there I though the first question someone would ask would be more like wait minute -- DNSBL records to syslog in realtime..

JonathanLee

@darcey some I have found if you block the DoH FQDN start to use an IP address as if it had been coded as a if else statement, so you have to at times block the IP and the FQDN. I don’t understand if an administrator sets the DNS to a firewall and all the sudden a device starts to attempt DoH and bypass admin settings. It’s like wack a mole.

JonathanLee

@jrey the url comes from a blacklist in France, they have had it listed as DoH for years. I have never seen it not blocked on my system. I have never had issues with it being blocked. It would be so simple if there was a standard ips/ids signature for DoH that it could just AppID block, all DoH signatures must act in the same way per protocol design right? I mean it’s not just Apple creating new ones every couple days it’s a list that grows and grows, if we had a simple DoH Snort detection signature all of this could be solved with much less cycles.

https://docs.snort.org/start/rules

There is something we can use to detect DoH use, that way it could be blocked with inline or legacy blocking mode

Gertjan

@JonathanLee said in DoH list:

There is something we can use to detect DoH use

DoH is a TLS data stream going a some destination IP using port 443.

Just by looking at the random bit stream, the size of entire stream open - data exchange and stream end, you might be able to say : hey, that's not a classic web page, but something way smaller like a DNS request. But how to be sure ?

DoH server are special, and by nature their IP addresses are semi static or 'always the same', so they can't hide for long time, they will get known. If you're not sure, throw a DoH DNS request on it, and you'll be sure its a DNS server, as a web server will say 'sorry, error'.

To block DoH the explicit way, there is only one solution : go MITM.