MS activated DoH at the operating system level, in this "great" 20H2 release...?!
-
Doh does not use tcp on 53.. that is just normal dns for large stuff.. doh is over port 443.. Just like every other https site on the planet - which is why its a pita to try and block. dot on the other hand is easy because it uses 853..
-
But I'm still curious if DNS is using TCP to get a resolve.
I dont know the in-depths of PfBlockerNG or the way in which unbound works, if it used UDP only then this might help, if not and it relies on the returned results, not the lookup directly then fine.
I was just noting the TCP on port 53 for DNS in case it was not known. I am aware of DoH and 443 though.
As a final paragraph, i am not a network guy, but trying to help and in return learning a lot, so even if i am not helpful in my replies at present, i learn a lot from you guys and hope to be able to give back in the future with more meaningful and helpful posts
-
@rod-it Yes for DNS using TCP.
Reply packets that are to big for UDP will be re send using the more adequate TCP.
This can happens when DNSSEC traffic is used.I's a known pitfall : letting port 53 UDP traffic going in and out, and forgetting about TCP.
And complaining 'DNS' doesn't work well ...... -
you can try use squid proxy in ssl bump mode to block
application/dns-message
media typesee https://tools.ietf.org/html/rfc8484#section-6
and https://medium.com/nlnetlabs/dns-over-https-in-unbound-c7a407e8480 -
@rod-it said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
But I'm still curious if DNS is using TCP to get a resolve.
It could. Blocking a client from talking to dns over 53 tcp could cause issues..
Now the 512 limit before switching to tcp has really been removed with support for edns.. But you never know what a query might return.. And what features of dns are supported by either the client or the dns server your talking to..
Its not a good idea to block dns over 53 on tcp.. While you may never run into a problem - when you do.. It could be problematic finding the issue.
But since doh or dot does not use dns over tcp 53.. Blocking it wouldn't get you anything.. Off the top I can not think of any reason why you would want or need to block dns over tcp 53.. But there are reasons why that could cause you issues..
I would not suggest not allowing dns over tcp 53.
-
@rod-it said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
If you are using a firewall rule to allow only specific outbound rules, is DNS configured to allow TCP or just UDP or port 53?
Hi,
thank you for the comment
we won't let anything out of the firewall (box) at 53
the internal network communicates only with pfSense on port 53, outward DoT 853https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
or not beautiful but effective
https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html
++edit:
https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details -
@daddygo said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
DoT
DoT : WTF ?!
-
@gertjan said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
WTF
I haven't even seen this, hahaha...
Former and twitter guru president, he would love this very much pmurTRather RFC7858
+++edit:
and / Yes EDNS vs. CloudFlare = I share this view
-
@gertjan said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
DoT : WTF ?!
ROFL ;)
-
@johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
ROFL ;)
This will be the future with DoH:
-
@provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:
What would happen to those of us using the resolver and talking to the roots?
Hello everyone...
Okay (hmmm, how should I start, OK I already know), I’ll post a new and great evidence on this theme (Win10 _20H2 vs. DoH) in 2021, so I am not doing it now, ...because I want to (sorry,....I would like to)..... and I would like to wish a beautiful Christmas and a pleasant New Year holiday to everyone, but then comes the dread in 2021....HOHOHO..HAHAHA, like bird flu H1N1 - Winflu 20H2 - HIHIHI
-it wasn't a good joke, though it looks a bit similar..... (so, "give me five")
(I am using roaring emoticons , not like others :)- of course only for those who like to control their own DNS stuff -
I look forward to seeing everyone, if you are interested in the future... and theDNS theme
BTW (preliminary):
the encouraging test environments: (4 colleagues, 4 separate locations (in EU), 4 external pfSense installations - same Win image - 20H2)+++edit:
MY new year "vow" WILL BE that I wont be createing less colorful posts and+++edit2:
anyway, I use windows everyday (to my stuff)
well, that's a joke (so I got upset)