DoH list
-
@Gertjan do you possibly have the URL or text file that is used, this list is massive compared to mine, again a lot of mine was manually done and a lot added on from other lists.
-
@jrey so you are getting hits from mine. That token one came from a blacklist doh category. I thought it would have been some mask.apple-dns.net one they are really pushing this one right now manual set dns or not. I have a regex for it they seem to make a new one every couple months
-
Researched and found this..
No longer working:
https://heuristicsecurity.com/dohservers.txt
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txtStill active:
You can also block all public DNS IPs with this feed:
https://public-dns.info/nameservers.txthttps://github.com/dibdot/DoH-IP-blocklists/blob/master/doh-domains.txt
-
The best approach for those interested in blocking this, might actually be a combo of both.
I guess it depends how applications, that make use of DoH, determine DoH server IP. I'd completely overlooked the fact that some|most might arrive at this via a regular DNS query. If that is the case for all apps using DoH, then it would seem DNSBL is an appropriate way to block.
AIUI some of the DoH IPs serve stuff other than DoH. The pihole discourse cdn is one case, I believe!
But I suppose there are applications discovering a DoH server IP in ways other than a regular DNS lookup. -
I wonder if the mask.apple.... is blocked without logging because it is already on this list
pfBlockerNG -> DNSBL -> DNSBL SafeSearch
-
Unbound Resolver can also be configured to use DoH, it works with advanced config. Again would other DoH requests still get around it? Again I wonder about a snort ips/ids signature to see any DoH request. I don’t think it is possible
-
Sure enough
I unselected it from the list above, reload the DNSBL then dig it
shows up logged from your list ..
difference is when on the DNSBL Safesearch above and you dig (not logged in DNSBL, is logged in dnsreply )
because you get NXDOMAiN;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58941 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ;; QUESTION SECTION: ;mask.apple-dns.net. IN AWhen it is not on the list above it falls to your list, is logged and returns
;; ANSWER SECTION: mask.apple-dns.net. 60 IN A 10.10.10.1That being the case the place to put this might be better in the SafeSearch above and not a special DNSBL blocking -- Clearly the NXDOMAIN interception point before user defined DNSBL lists, would cause the (application/website) whatever to not try and get a response from 10.10.10.1 ?
Since the only one from your list that has been logged here is token.safebr.. I might like to confirm next that it is actually DoH traffic going to/from there? Have you?
guess I'll have to look at pulling realtime dnsreply logs in to graylog so I can make another pretty graph lol -
-
@jrey what GROK patterns are you using for dnsbl?
-
umm, you can write your own you know..
funny, and there I though the first question someone would ask would be more like wait minute -- DNSBL records to syslog in realtime..
-
@darcey some I have found if you block the DoH FQDN start to use an IP address as if it had been coded as a if else statement, so you have to at times block the IP and the FQDN. I don’t understand if an administrator sets the DNS to a firewall and all the sudden a device starts to attempt DoH and bypass admin settings. It’s like wack a mole.
-
@jrey the url comes from a blacklist in France, they have had it listed as DoH for years. I have never seen it not blocked on my system. I have never had issues with it being blocked. It would be so simple if there was a standard ips/ids signature for DoH that it could just AppID block, all DoH signatures must act in the same way per protocol design right? I mean it’s not just Apple creating new ones every couple days it’s a list that grows and grows, if we had a simple DoH Snort detection signature all of this could be solved with much less cycles.
https://docs.snort.org/start/rules
There is something we can use to detect DoH use, that way it could be blocked with inline or legacy blocking mode
-
@JonathanLee said in DoH list:
There is something we can use to detect DoH use
DoH is a TLS data stream going a some destination IP using port 443.
Just by looking at the random bit stream, the size of entire stream open - data exchange and stream end, you might be able to say : hey, that's not a classic web page, but something way smaller like a DNS request. But how to be sure ?
DoH server are special, and by nature their IP addresses are semi static or 'always the same', so they can't hide for long time, they will get known. If you're not sure, throw a DoH DNS request on it, and you'll be sure its a DNS server, as a web server will say 'sorry, error'.
To block DoH the explicit way, there is only one solution : go MITM.
