Doh and chat gpt
-
@JonathanLee said in Doh and chat gpt:
having issues with cloud flare
Well, here in Europe most news outlets, since this morning, let's say around "12h00 GMT" informs us that Cloud Flare has mega issues world-wide.
A bit like AWS (Amazon) a couple of weeks ago.
I've already found some business sites that I use that telle me :
So, my company uses accounting software is down for me (a local Windows 11 execrable that uses a login that use CloudFlare ...).
The big ones that are out : Chat-something and Twitter (X).
-
@Gertjan yeah this wasn't just EU, maybe it started there but this was global
https://www.techradar.com/pro/live/a-cloudflare-outage-is-taking-down-parts-of-the-internet
Just google cloudflare outage.. All the sites I was having issues with are now back online.
They put out their post-mortem
-
The next world war should be a hoot!
-
https://redmine.pfsense.org/issues/14558
I mean there has to be a way to make doh work and clients use pfSense to resolve doh
Make sure to upvote
-
https://forum.netgate.com/topic/195948/mime-type-for-doh
It can be parsed in traffic
-
@JonathanLee said in Doh and chat gpt:
I mean there has to be a way to make doh work and clients use pfSense to resolve doh
Unbound ... using Using DoH implies that the pfSense GUI, also listening on port 443, TCP, has to 'go elsewhere'. Hummm ...
This nghttp2 library, and all it's dependencies (!) has to be included / compiled in.Just so I understand this feature request : local DoH would be nice if you can't trust your local LANs, right ? This would be your own cables and Wifi links ... That's why ?
How does the LANs client side work ? This won't be 'plug and play'. There is, imho, no such thing as 'tell the DHCP server to tell de DHCP client that there is a DoH DHCP option' which means that every DoH has to be setup 'manually = manual DNS DoH setup for every device.
@JonathanLee said in Doh and chat gpt:
https://forum.netgate.com/topic/195948/mime-type-for-doh
Wait ...
You want DoH ?
Or you don't want (block), DoH ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan it’s a test I can block and spot the DoH with Squid fully if you block all so many windows 11 items stop working. It’s a fun test to play with from a cyber security perspective.
-
@Gertjan does any rfc like
RFC8484 exist info on how to do that -
RFC8484 = DoH.
How to do what ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan no…. If one exists for using using your own doh server… like regular dns resolvers where you can tell a device stop using unlimited unknown doh services only use this one… there has to be something
-
@Gertjan “In January 2021, NSA warned enterprises against using external DoH resolvers because they prevent DNS query filtering, inspection, and audit. Instead, NSA recommends configuring enterprise-owned DoH resolvers and blocking all known external DoH resolvers.[48]”
…..Enterprise owned DoH resolvers ??? meaning there is one out there for how to do this.
Ref https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2471956/nsa-recommends-how-enterprises-can-securely-adopt-encrypted-dns/
It is safe to say that that if they recommend to do this there is a way and Unbound DNS resolver has ways to do it but how do you make sure your clients are configured to only use that one DoH server? That is where some RFC# has got to come on because currently there is no settings on iMac or on Windows etc and or browsers to lock down to a single DoH if there is a RFC there might be a way
I mean look at this small list ...
jp.tiar.app dns.nextdns.io captnemo.in example.doh.blockerdns.com doh.securedns.eu dns.dns-over-https.com firefox.dns.nextdns.io mozilla.cloudflare-dns.com doh.dns.apple.com i.233py.com opencdn.jomodns.com dns.233py.com edns.233py.com ndns.233py.com sdns.233py.com wdns.233py.com dns-gcp.aaflalo.me dns-nyc.aaflalo.me dns.aaflalo.me doh.abmb.win dns.adguard.com dns-family.adguard.com dns-unfiltered.adguard.com dns.adguard-dns.com family.adguard-dns.com unfiltered.adguard-dns.com doh.nl.ahadns.net doh.in.ahadns.net doh.la.ahadns.net doh.ny.ahadns.net doh.pl.ahadns.net doh.it.ahadns.net doh.es.ahadns.net doh.no.ahadns.net doh.chi.ahadns.net dot.nl.ahadns.net dot.in.ahadns.net dot.la.ahadns.net dot.ny.ahadns.net dot.pl.ahadns.net dot.it.ahadns.net dot.es.ahadns.net dot.no.ahadns.net dot.chi.ahadns.net dnsnl.alekberg.net dnsse.alekberg.net dns.alidns.com doh.appliedprivacy.net doh.applied-privacy.net dot1.applied-privacy.net doh.armadillodns.net dohtrial.att.net doh1.blahdns.com doh2.blahdns.com doh.bortzmeyer.fr dns.brahma.world free.bravedns.com bravedns.com doh.captnemo.in canadianshield.cira.ca family.canadianshield.cira.ca private.canadianshield.cira.ca protected.canadianshield.cira.ca dns.cloudflare.com cloudflare-dns.com 1dot1dot1dot1.cloudflare-dns.com family.cloudflare-dns.com mozilla.cloudflare-dns.com security.cloudflare-dns.com cloudflare-gateway.com doh.cleanbrowsing.org security-filter-dns.cleanbrowsing.org adult-filter-dns.cleanbrowsing.org family-filter-dns.cleanbrowsing.org dns.cmrg.net commons.host dns.containerpi.com doh.crypto.sx jit.ddns.net dns.decloudus.com doh.defaultroutes.de dns.developer.li dns2.developer.li dns.digitale-gesellschaft.ch dns1.digitale-gesellschaft.ch dns2.digitale-gesellschaft.ch doh.disconnect.app ns1.recursive.dnsbycomodo.com ns2.recursive.dnsbycomodo.com dnsforge.de dns.google dns64.dns.google dns.dnshome.de dns1.dnscrypt.ca dns2.dnscrypt.ca doh.dns.sb public-dns-a.dns.sb public-dns-b.dns.sb doh.dnslify.com a.ns.dnslify.com b.ns.dnslify.com a.safe.ns.dnslify.com b.safe.ns.dnslify.com a.family.ns.dnslify.com b.family.ns.dnslify.com dns.dnsoverhttps.net doh.dnswarden.com doh.li doh.ffmuc.net dot.ffmuc.net rdns.faelix.net pdns.faelix.net dns.flatuslifir.is dns.google.com google-public-dns-a.google.com google-public-dns-b.google.com query.hdns.io ordns.he.net dns.hostux.net opennic.i2pd.xyz public.dns.iij.jp jcdns.fun us1.dns.lavate.ch eu1.dns.lavate.ch resolver-eu.lelux.fi doh.libredns.org dot.libredns.gr.com dot.libredns.gr doh.libredns.gr adblock.mydns.network dns.neutopia.org dns.aa.net.uk dns.nextdns.io dns1.nextdns.io dns2.nextdns.io odvr.nic.cz lv1.nixnet.xyz ny1.nixnet.xyz lux1.nixnet.xyz dns.njal.la doh.opendns.com doh.familyshield.opendns.com doh.sandbox.opendns.com resolver1.opendns.com resolver2.opendns.com resolver1-fs.opendns.com resolver2-fs.opendns.com dns.oszx.co a.passcloud.xyz i.passcloud.xyz doh.post-factum.tk doh.powerdns.org rpz-public-resolver1.rrdns.pch.net dns.pumplex.com dns.quad9.net dns9.quad9.net dns10.quad9.net dns11.quad9.net dns12.quad9.net dns13.quad9.net dns-nosec.quad9.net dns.rubyfish.cn ea-dns.rubyfish.cn uw-dns.rubyfish.cn rumpelsepp.org dns1.ryan-palmer.com doh.seby.io doh-2.seby.io dot.seby.io dnsovertls.sinodun.com dnsovertls1.sinodun.com dnsovertls2.sinodun.com dnsovertls3.sinodun.com fi.doh.dns.snopyta.org fi.dot.dns.snopyta.org dns.switch.ch ibksturm.synology.me dns.t53.de dns.therifleman.name doh.tiar.app dot.tiar.app doh.tiarap.org jp.tiar.app jp.tiarap.org dns.twnic.tw dns.wugui.zone dns-asia.wugui.zone adfree.usableprivacy.net doh.xfinity.com dns.sb 8888.google chromium.dns.nextdns.io doh.quickline.ch doh-02.spectrum.com doh-01.spectrum.com mask.icloud.com mask-h2.icloud.com dandelionsprout.asuscomm.com basic.rethinkdns.com max.rethinkdns.com anycast.dns.nextdns.io token.safebrowsing.apple mask.apple-dns.net ussjc1.mask.apple-dns.net global-wrr.mask.apple-dns.net north-america-mask.wrr.mask.apple-dns.net dns.mullvad.net adblock.dns.mullvad.net base.dns.mullvad.net extended.dns.mullvad.net family.dns.mullvad.net all.dns.mullvad.net doh.opendns.com doh.familyshield.opendns.comIt just gets bigger and bigger this is a big need on pfsense for unbound to have DoH abilities as protocol and procedures are developed in depth... can't drop the ball, the NSA is making recommendations for DoH I mean that is how serious it is. Obscurity and polymorphism within DoH are creating a market niche and the need to find a solutions to this. It is complex.
Ref: https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html
Unbound does have an ability to configure it but how do you lock down the system to force use of it …
-
@JonathanLee said in Doh and chat gpt:
Unbound does have an ability to configure it but how do you lock down the system to force use of it …
That would be a question for the OS people, not pfsense.. Pfsense has no method of forcing a OS to do anything.. You can block network stuff. If you want to look how to lock windows to using a specific doh server - then look to gpo, or ask ms.. Or apple if its a macOS, etc.
