Any way to TRULY block DNS over https (doh)?



  • I've seen many posts regarding doh and am aware of the ways to configure your network to ASK clients not to use doh. I am looking for a way to confirm and enforce that it is not being used.

    There really needs to be a change in the stated support for MITM in pfsense to become a big boy and there has to be a supported way in the future to crack open this traffic on your own network.

    Whole platforms of IOT and devices are being weaponized by the device and app creators against the owners of the devices and now web browsers and other applications are going down the same road and doing IP lookups that we have no way of seeing and filtering as the owners of the devices and networks in our homes and businesses. If anyone thinks doh is about privacy, they have their head in the sand. It's ultimately about them taking control back and being able to bypass adblocking and do more subversive user tracking without us being able to see the even the site lookups.


  • LAYER 8 Global Moderator

    This is very good question... Currently the only way to block it would be via blocking the known doh servers, and or the dns to said doh servers.. I have started doing this - but this list is going to grow very quickly and get very difficult to handle.. And doesn't stop the ability to just use doh to an unknown server, etc. This is more an attempt to detect known software doing something they have not actually stated they are doing then trying to stop bad stuff. Have yet to see any hits - so that is a good thing.

    What is nice about the dot protocol is it runs on a specific port, which you can just block... That being said they could just run dot on any other common port and you really wouldn't be able to know..

    The big problem here to be honest, is once you open anything outbound - a bad actor can tunnel really anything they want out out, no matter what port you have open. So stopping a truely bad actor is not possible in the overall picture of what is possible.

    And I agree this is not about user privacy at all - it is about control... I read something the other day which could make sense to why some ISPs are against this... Not so much that they are tracking you or whatever... But many users just default to using the ISP dns, so when user goes to somewhere with typo or whatever - the isp can send you to a parking domain, etc. Which is a income stream, that could be taken away from them if browser is forwarding all dns to not them..

    This is just another part of the bigger picture... They can say its about user privacy all they want - its clear that is not the case... Application should not be doing dns, that should be left to the OS to do if you ask me!!! if I want to use doh or dot, then will set it up on the OS.. Applications should be worried about doing their application shit, and not looking up dns stuff..



  • I've been thinking about ways to potentially handle it... maybe with snort or suricata rules that check for any communications to sites that have not had a dns lookup on them. Someone else mentioned that Opnsense has a plugin called bro that can do some magic with tcp headers to get part of the way toward identifying the doh traffic.

    On a soapbox rant, but there really needs to be some government regulation regarding closed ecosystems and encrypted traffic. I understand that encrypted traffic should be hidden from prying eyes, but that encryption should never be hidden from the owner of a device. There should be regulation in place that enforces that all IoT devices or services on PC's be able to accept proxy certs from the owner of a device and network so that they can see traffic on their own networks and devices. It would frighten the hell out of most device makers today if that happened and we got shine a light on the data they are sending out of our networks about us.




  • LAYER 8 Global Moderator

    I concur with pretty much everything be said there ;) doh is not a good thing to be sure..

    Dot is a better option... I can set it up if a I want to use it... Shouldn't be done at the application level.


  • LAYER 8 Global Moderator

    @rtkluttz said in Any way to TRULY block DNS over https (doh)?:

    encryption should never be hidden from the owner of a device. There should be regulation in place that enforces that all IoT devices or services on PC's be able to accept proxy certs from the owner of a device and network so that they can see traffic on their own networks and devices. It would frighten the hell out of most device makers today if that happened and we got shine a light on the data they are sending out of our networks about us.

    I like this idea to be honest.. Just don't know how you would get that passed... But yeah that would keep them all honest on what exactly info they are gathering ;)


Log in to reply