MS activated DoH at the operating system level, in this "great" 20H2 release...?!

johnpoz

Doh does not use tcp on 53.. that is just normal dns for large stuff.. doh is over port 443.. Just like every other https site on the planet - which is why its a pita to try and block. dot on the other hand is easy because it uses 853..

Rod-It

But I'm still curious if DNS is using TCP to get a resolve.

I dont know the in-depths of PfBlockerNG or the way in which unbound works, if it used UDP only then this might help, if not and it relies on the returned results, not the lookup directly then fine.

I was just noting the TCP on port 53 for DNS in case it was not known. I am aware of DoH and 443 though.

As a final paragraph, i am not a network guy, but trying to help and in return learning a lot, so even if i am not helpful in my replies at present, i learn a lot from you guys and hope to be able to give back in the future with more meaningful and helpful posts

Gertjan

@rod-it Yes for DNS using TCP.
Reply packets that are to big for UDP will be re send using the more adequate TCP.
This can happens when DNSSEC traffic is used.

I's a known pitfall : letting port 53 UDP traffic going in and out, and forgetting about TCP.
And complaining 'DNS' doesn't work well ......

viktor_g

you can try use squid proxy in ssl bump mode to block application/dns-message media type

see https://tools.ietf.org/html/rfc8484#section-6
and https://medium.com/nlnetlabs/dns-over-https-in-unbound-c7a407e8480

johnpoz

@rod-it said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

But I'm still curious if DNS is using TCP to get a resolve.

It could. Blocking a client from talking to dns over 53 tcp could cause issues..

Now the 512 limit before switching to tcp has really been removed with support for edns.. But you never know what a query might return.. And what features of dns are supported by either the client or the dns server your talking to..

Its not a good idea to block dns over 53 on tcp.. While you may never run into a problem - when you do.. It could be problematic finding the issue.

But since doh or dot does not use dns over tcp 53.. Blocking it wouldn't get you anything.. Off the top I can not think of any reason why you would want or need to block dns over tcp 53.. But there are reasons why that could cause you issues..

I would not suggest not allowing dns over tcp 53.

DaddyGo

@rod-it said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

If you are using a firewall rule to allow only specific outbound rules, is DNS configured to allow TCP or just UDP or port 53?

Hi,

thank you for the comment

we won't let anything out of the firewall (box) at 53
the internal network communicates only with pfSense on port 53, outward DoT 853

https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

or not beautiful but effective

https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html

++edit:
https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details

Gertjan

@daddygo said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

DoT

DoT : WTF ?!

DaddyGo

@gertjan said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

WTF

I haven't even seen this, hahaha...
Former and twitter guru president, he would love this very much pmurT

Rather RFC7858

+++edit:

and / Yes EDNS vs. CloudFlare = I share this view

johnpoz

@gertjan said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

DoT : WTF ?!

ROFL ;)

DaddyGo

@johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

ROFL ;)

This will be the future with DoH:

DaddyGo

@provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

What would happen to those of us using the resolver and talking to the roots?

Hello everyone...

Okay (hmmm, how should I start, OK I already know), I’ll post a new and great evidence on this theme (Win10 _20H2 vs. DoH) in 2021, so I am not doing it now, ...because I want to (sorry,....I would like to)..... and I would like to wish a beautiful Christmas and a pleasant New Year holiday to everyone, but then comes the dread in 2021....HOHOHO..HAHAHA, like bird flu H1N1 - Winflu 20H2 - HIHIHI

-it wasn't a good joke, though it looks a bit similar..... (so, "give me five")
(I am using roaring emoticons , not like others :)

• of course only for those who like to control their own DNS stuff -

I look forward to seeing everyone, if you are interested in the future... and theDNS theme

BTW (preliminary):
the encouraging test environments: (4 colleagues, 4 separate locations (in EU), 4 external pfSense installations - same Win image - 20H2)

+++edit:
MY new year "vow" WILL BE that I wont be createing less colorful posts and

+++edit2:
anyway, I use windows everyday (to my stuff)
well, that's a joke (so I got upset)