Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    MS activated DoH at the operating system level, in this "great" 20H2 release...?!

    pfBlockerNG
    9
    57
    973
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DaddyGo
      DaddyGo last edited by

      Just for the sake of the test we installed the new Win10 release (20H2 clean install) and ...

      The pfBlockerNG is currently unable to do anything at this point...! and / or :-) ?

      a blocked target on a Win10 1909 machine, for example (msftncsi.com or o.ss2.us):

      f732a321-e6e1-4462-8362-b9b49b36843b-image.png

      or

      b48e8307-caea-40d6-9e26-bb8a717fb20e-image.png

      2020-11-19_17h05_08.jpg

      the same on a 20H2 windows machine:

      2020-11-19_17h16_45.png

      or

      2020-11-19_17h18_16.png

      o.ss2.us = redirect to https://www.starfieldtech.com/

      2020-11-19_17h19_22.png

      the network settings are exactly the same on the two computers (except IPs RFC1918, :-)):

      PC config via DHCP - pfSense DNS - pfBlockerNG

      one more fact:
      msftconnecttest.com, bypass pfBlockerNG here:

      2020-11-19_17h35_24.png

      🤔 😟

      Cats bury it so they can't see it!
      (You know what I mean if you have a cat)

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by johnpoz

        Where did they do this at the OS level.. Your testing in a browser - browsers like to enable doh sure... But I don't recall any mention of doh being enabled at the os level?

        I'm running 20h2
        Microsoft Windows [Version 10.0.19042.630]

        And OS is still using my local dns..

        I flushed my local dns.. ipconfig /flushdns - and then dig a simple ping

        ping www.msftncsi.com
        
        Pinging a1961.g2.akamai.net [75.76.84.8] with 32 bytes of data:
        Reply from 75.76.84.8: bytes=32 time=20ms TTL=54
        Reply from 75.76.84.8: bytes=32 time=19ms TTL=54
        

        You can see from sniff it asked my local dns

        sniff.png

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

        DaddyGo 1 Reply Last reply Reply Quote 0
        • DaddyGo
          DaddyGo @johnpoz last edited by DaddyGo

          @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

          Where did they do this at the OS level.

          https://www.windowslatest.com/2020/05/14/windows-10-is-getting-dns-over-https-doh-support/

          and

          there is only one bare Firefox on the test machine, with this:

          about:config
          network.trr.mode 5

          +++edit:

          BTW:
          this is a couple of hours of a really fresh installation with an image downloaded from our MS VLSC

          not constantly updated, starting from 1909, for example

          5ac96a14-db24-4b7a-a901-86c468f755ed-image.png

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by johnpoz

            For it to work on the OS you would have to point to specific doh dns..

            While you can enable it - from here for example
            https://lifehacker.com/how-to-turn-on-dns-over-https-for-all-apps-in-windows-1-1843544589

            Where did they state it would be the default configuration?? See my edit above where I did a simple ping so the OS would resolve and where it got its answer from, etc. via sniff on the box.

            edit: Also from my understanding the reg entry would have to be there.

            also.png

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

            DaddyGo 1 Reply Last reply Reply Quote 0
            • DaddyGo
              DaddyGo @johnpoz last edited by DaddyGo

              @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

              edit: Also from my understanding the reg entry would have to be there.

              I know this post....no entry I have already checked ☹ - already as I meant "2"

              but:

              I understand that, but did you see Wireshark?

              MS connecttest is disabled everywhere on the network, but on this one machine, pfBlockerNG is bypassed
              (since connecttest runs on an external web server of its own)

              in addition, it uses a new MS IP (for me new): 13.107.4.52 - instead of this 131.107.255.255
              where does it get DNS from?

              ++edit:

              2020-11-19_18h21_32.png

              and

              2020-11-19_18h23_09.png

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              S 1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                Well that IP reports back with a footprintdns name - So I would assume its some tracking IP for something..

                wget https://13.107.4.52
                --2020-11-19 12:12:43--  https://13.107.4.52/
                Connecting to 13.107.4.52:443... connected.
                    ERROR: certificate common name ‘*.clo.footprintdns.com’ doesn't match requested host name ‘13.107.4.52’.
                

                If you hit it up using a name that matches you get back some sort of canary something?

                root@NewUC:/home/user# cat index.html 
                <?xml version="1.0" encoding="utf-8"?>
                <canaryresponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" currenttime="2020-11-19T18:13:35.6198632Z">
                  <instanceset>
                    <instance isresponder="true">
                      <datacenter>fra</datacenter>
                      <cluster>fra21prdapp03</cluster>
                      <canary>fra21prdapp03-canary</canary>
                      <canaryservicetype>IPv6</canaryservicetype>
                      <fd>0</fd>
                      <ud>0</ud>
                      <instanceid>b5d731fa4a1d487b9c36124ac47d3ae1</instanceid>
                      <dip>10.0.0.83</dip>
                      <canaryversion>1.0.5.751</canaryversion>
                    </instance>
                  </instanceset>
                

                I can tell you one thing - the day windows defaults to doh, will be the day I wipe my windows machine and go pure linux..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                DaddyGo 1 Reply Last reply Reply Quote 0
                • DaddyGo
                  DaddyGo @johnpoz last edited by DaddyGo

                  @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                  If you hit it up using a name that matches you get back some sort of canary something?

                  Nope..
                  The WS *.pcap basically shows port 80, hmmmm
                  the way it works http - http://www.msftconnecttest.com/connecttest.txt
                  or
                  http://www.msftncsi.com/ncsi.txt

                  therefore I am completely lost...it can be inside in advance...
                  but as you can see it downloads the connecttest.txt file
                  200 OK

                  and pfBlockerNG is bypassed!

                  13.107.4.52...- <h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>08Lu2XwAAAADuj8s0xzLNRqgGp76wBEbWTElTMDFFREdFMDMxNQBFZGdl

                  @johnpoz "I can tell you one thing - the day windows defaults to doh, will be the day I wipe my windows machine and go pure linux.."

                  I’m already half on Linux, precisely because of such bullshit :)

                  ++edit:

                  https://www.shodan.io/host/13.107.4.52

                  9a3727bd-6a2d-423c-9f4c-c1816fe2e303-image.png

                  f38f038d-7ad6-403b-8517-9e2ce3cb2fdf-image.png

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS @DaddyGo last edited by

                    @DaddyGo said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                    it uses a new MS IP (for me new): 13.107.4.52 - instead of this 131.107.255.255
                    where does it get DNS from?

                    Well that's the one I get:
                    dig www.msftconnecttest.com @8.8.4.4

                    ; <<>> DiG 9.16.5 <<>> www.msftconnecttest.com
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34855
                    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4000
                    ;; QUESTION SECTION:
                    ;www.msftconnecttest.com. IN A

                    ;; ANSWER SECTION:
                    www.msftconnecttest.com. 3542 IN CNAME v4ncsi.msedge.net.
                    v4ncsi.msedge.net. 18 IN CNAME ncsi.4-c-0003.c-msedge.net.
                    ncsi.4-c-0003.c-msedge.net. 10 IN CNAME 4-c-0003.c-msedge.net.
                    4-c-0003.c-msedge.net. 56 IN A 13.107.4.52

                    Steve

                    Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
                    When upgrading, let it finish. Allow 10 minutes or more depending on packages and device speed.

                    DaddyGo 1 Reply Last reply Reply Quote 0
                    • viktor_g
                      viktor_g Netgate last edited by

                      you can try to use DoH feeds in pfBlockerNG,
                      see https://redmine.pfsense.org/issues/10969

                      also https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt

                      and (all public DNS servers):
                      https://public-dns.info/nameservers.txt

                      DaddyGo 1 Reply Last reply Reply Quote 0
                      • DaddyGo
                        DaddyGo @viktor_g last edited by DaddyGo

                        @viktor_g said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                        you can try to use DoH feeds in pfBlockerNG,

                        thanks for the advice, but we’ve been past that for a long time 😉

                        https://forum.netgate.com/topic/157500/blocking-dns-over-https-seems-the-only-way-is-to-fire-a-shotgun-at-it/30
                        https://public-dns.info/nameservers.txt
                        https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall_ipv4

                        or but it has not been available for some time....
                        https://heuristicsecurity.com/dohservers.txt

                        UNBOUND Custom:
                        server:
                        local-zone: "use-application-dns.net" always_nxdomain
                        local-zone: "cloudflare-dns.com" static

                        +++edit:
                        65197508-a09d-4356-9510-bb604279c5ee-image.png

                        it is a long-established system, only a certain test PC has this condition, which is win10 20H2

                        +++edit:

                        yesterday, I downloaded (fresh - crunchy 😉 ) this "image" from our own MS VLSC account...

                        true this is an account which is attached to MS Insider program, but the image was not marked as beta

                        Cats bury it so they can't see it!
                        (You know what I mean if you have a cat)

                        1 Reply Last reply Reply Quote 0
                        • DaddyGo
                          DaddyGo @SteveITS last edited by DaddyGo

                          @teamits said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                          Well that's the one I get:

                          Yes, there's the IP 13.107.4.52

                          a4c4aeb7-4f80-4bf7-8f3f-58847ce6c29b-image.png

                          but, the IP according to the win registry...131.107.255.255

                          824fa28d-ffed-4a6e-8379-2b54fb67c9dd-image.png

                          2ee784c0-9ec5-40be-a2d4-fcdcef7b0999-image.png

                          pfBlockerNG (from Win10 1909 PC):

                          25ae80c8-96bd-47d9-8ebe-36ba158f848a-image.png

                          on the new PC (20H2), the request does not pass through pfBlockerNG, directly download the connecttest.txt from this IP 13.107.4.52

                          +++edit:

                          So the situation is changing, when I go back to 1909 and 2004 everything works as expected....
                          (everything is the same in the network environment, everything....)

                          The pfBlockerNG works great!!!

                          who wants to test this "image 20H2" I'd love to upload it somewhere...
                          (DropBox, MEGA, etc)

                          thoughts,

                          -when on an older "win" installation (what you have), you keep moving up with versions 1803, 1909, 2004, etc.
                          (the behavior is not the same as a clean installation)

                          -I have now done a clean installation with 20H2 from a VLSC image and I'm not a fool and/or beginer, there are trivial problems here...

                          in the post I not only presented the MS connect test, there is another domain that behaves this way...
                          see this: o.ss2.us

                          I haven't tested any more steps....
                          (what I know is that I get the same in a VM environment)

                          Cats bury it so they can't see it!
                          (You know what I mean if you have a cat)

                          DaddyGo 1 Reply Last reply Reply Quote 0
                          • DaddyGo
                            DaddyGo @DaddyGo last edited by

                            @DaddyGo

                            +++edit:

                            So the situation is changing, when I go back to 1909 and 2004 everything works as expected....
                            (everything is the same in the network environment, everything....)

                            The pfBlockerNG works great!!!

                            who wants to test this "image 20H2" I'd love to upload it somewhere...
                            (DropBox, MEGA, etc)

                            thoughts,

                            -when on an older "win" installation (what you have), you keep moving up with versions 1803, 1909, 2004, etc.
                            (the behavior is not the same as a clean installation)

                            -I have now done a clean installation with 20H2 from a VLSC image and I'm not a fool and/or beginer, there are trivial problems here...

                            in the post I not only presented the MS connect test, there is another domain that behaves this way...
                            see this: o.ss2.us

                            I haven't tested any more steps....
                            (what I know is that I get the same in a VM environment**

                            Cats bury it so they can't see it!
                            (You know what I mean if you have a cat)

                            1 Reply Last reply Reply Quote 0
                            • johnpoz
                              johnpoz LAYER 8 Global Moderator last edited by johnpoz

                              Not saying you haven't found something odd. But I don't agree with your wording. That its at the os level.

                              To me - the os level would mean that all dns queries would be using doh. For all you know this is some "app" or service on the OS using doh to check for xyz..

                              I am using 20h2, and agree it wasn't clean.. It was from a 2004 clean install. My system would not update to 2004.. Stupid info about your system is not ready - yet no info on exactly what was keeping it from updating.

                              So I ended up doing a clean install to 2004, but then it updated to 20h2..

                              My 20h2 system is doing normal dns to msftncsi
                              dns.png

                              I see no queries to ss2.us at all..

                              So while you have found something doing doh, I would be hesitant to say the OS dns client is doing it.. It clearly is not doing it for all queries..

                              My take on the ss2.us - its something to do with certs.. And is tied to https://www.starfieldtech.com/

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                              DaddyGo 2 Replies Last reply Reply Quote 1
                              • DaddyGo
                                DaddyGo @johnpoz last edited by DaddyGo

                                @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                Not saying you haven't found something odd. But I don't agree with your wording. That its at the os level.

                                Yes sir, but :-)

                                I agree with you in a super way...
                                please try this "image" even on a VM... or other way
                                if you think, I'll upload it for you somewhere...

                                I feel myself completely stupid about that...

                                Cats bury it so they can't see it!
                                (You know what I mean if you have a cat)

                                1 Reply Last reply Reply Quote 0
                                • DaddyGo
                                  DaddyGo @johnpoz last edited by DaddyGo

                                  @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                  My 20h2 system is doing normal dns to msftncsi

                                  --- o.s22.us
                                  I'll show you again,
                                  this domain is blocked by us..., o.ss2.us via DNSBL feed

                                  Win1909:

                                  a544381f-e6c3-41c4-ad45-ca2916e30162-image.png

                                  test PC on clean 20H2:

                                  b66dabdc-9b98-4728-9329-a9cd8ca2a641-image.png

                                  network setup:

                                  6b09487c-fe40-45fb-a813-4cf2ce3ec3f4-image.png

                                  pfSense IP is: 192.168.85.1

                                  igen = yes
                                  DHCP kiszolgáló = DHCP server

                                  (sorry for the hungarian OS language)

                                  more over:

                                  e58aa2f1-fa26-4a74-b9d3-f87fc3f1fb32-image.png

                                  192.168.85.130 on Win1909

                                  no entry from 192.168.85.132 on win 20H2

                                  Cats bury it so they can't see it!
                                  (You know what I mean if you have a cat)

                                  1 Reply Last reply Reply Quote 0
                                  • johnpoz
                                    johnpoz LAYER 8 Global Moderator last edited by

                                    You would prob get better help on some MS forum.. While this I guess could be related to pfblocker.. If said device doesn't ask pfblocker for dns, that is not pfsense or pfblocker that keeps the client from doing that.

                                    Why said client doesn't use your assigned dns, would be up to the client.. No matter what you hand it via dhcp.

                                    I wouldn't block that mfsft site for sure.. That is a well known domain in how windows check if it has internet, etc. Blocking it could for sure kick in other methods of the OS trying to see if it has any sort of internet connectivity..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                    DaddyGo 1 Reply Last reply Reply Quote 0
                                    • DaddyGo
                                      DaddyGo @johnpoz last edited by DaddyGo

                                      @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                      You would prob get better help on some MS forum..

                                      you're just kidding me now, aren't you? 😉

                                      @johnpoz "I wouldn't block that mfsft site for sure.."

                                      it's just a matter of taste ☹
                                      so as I wrote above we run an external connecttest server, this is not an MS denial...

                                      it was just enough of the voyeur or something...
                                      not really a pfSense or pfBlockerNG theme (issue), yet ... you are right (let's say it's a simple statement)

                                      but it will be....?!

                                      I knew that, you will be the first to respond to my post, knowing your DoH hate...
                                      (we are rowing in the same boat)

                                      do not think that, the future will not come
                                      you cannot delay it, by denying it...

                                      +++edit:

                                      I would willingly to give you this "image 20H2 VLSC" if you think, try it on a VM, you don't have to activate it for a few days and you'll see what the future holds I say kindly 😉

                                      Cats bury it so they can't see it!
                                      (You know what I mean if you have a cat)

                                      DaddyGo 1 Reply Last reply Reply Quote 0
                                      • DaddyGo
                                        DaddyGo @DaddyGo last edited by DaddyGo

                                        @DaddyGo

                                        it would be a much more expedient test, if the leaderboard poster also tried what I am talking about... or anyone else who is willing...

                                        @johnpoz don't get me wrong I seriously respect you 👍 ✋

                                        one more time...

                                        I did not share this to seek for advice, just I reported a fact...
                                        (it will affect, everyone in the community)

                                        so the defensive behavior is unnecessary in this case...
                                        this is not a pfSense theme yet, but it will be...

                                        (maybe the Wireshark isn't lying??!!)
                                        so I’m not going to comment on that anymore, because the stiff rejection isn’t good...

                                        who is brave ask me for a "image 201H2" in PM

                                        Cats bury it so they can't see it!
                                        (You know what I mean if you have a cat)

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          Impatient last edited by

                                          It really wouldn't surprise me if you aren't seeing the start of microsoft following what the other's have already done.

                                          It seem's like everytime I update edge on a machine at the shop I have to go through the setting's and disable a bunch of crap and they advertise that edge is secure what a joke.

                                          1 Reply Last reply Reply Quote 2
                                          • johnpoz
                                            johnpoz LAYER 8 Global Moderator last edited by

                                            @DaddyGo said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                            this is not a pfSense theme yet, but it will be...

                                            Not trying to be defensive, but no this will never be a pfsense anything.. What some OS does, be it linux, be it windows, be it beos or bsd, mac osx, etc. etc..

                                            The only way this would have anything to do with pfsense would be if freebsd decided to only allow for doh, etc.. ;)

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                            DaddyGo 1 Reply Last reply Reply Quote 0
                                            • DaddyGo
                                              DaddyGo @johnpoz last edited by

                                              @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                              Not trying to be defensive, but no this will never be a pfsense anything..

                                              You are absolutely right in this, but we defend against this in the background... or not(?!)

                                              F.E.:
                                              pfBlockerNG DoH server list feeds or

                                              4dffda86-792f-4d68-8c80-c623fee5db77-image.png

                                              I came back, because I was worried about what I found...

                                              FYI, John

                                              The MS support team confirmed that the DoH is supported at OS level, in the "image" which I downloaded from our VLSC account.

                                              Next year, everyone will get this great improvement in the 21H2 image and will not be able to be disabled from the registry.

                                              https://techcommunity.microsoft.com/t5/networking-blog/windows-insiders-can-now-test-dns-over-https/ba-p/1381282

                                              So no one can escape😞 ..., -towards Linux only 😉

                                              sorry for the bad news

                                              Cats bury it so they can't see it!
                                              (You know what I mean if you have a cat)

                                              T 1 Reply Last reply Reply Quote 1
                                              • johnpoz
                                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                Where does it state that is will on by default.. That you can do it is one thing, that you can't turn it off is another.

                                                In that article you list, no where does it list that you are forced to use doh.. Just that the OS supports it..

                                                That article states it will use doh if you have one of the following already set as your dns..

                                                "Now that the DoH client is active, Windows will start using DoH if you already have one of these servers configured:"

                                                And shows you how to setup and point to your own doh.. And sure it states once this is no longer insider you will not have to do the registry.. But I see nowhere that says or states that its going to use doh be it you like it or not..

                                                I am just not seeing that.. Enabling doh to be used, and to use it if your pointing at some doh enabled IP is completely different than enabling it and using it without letting you not do it..

                                                From everything I have read it not forced upon you.. If I point to 192.168.1.1 as my dns - that will be what is used.

                                                What is a concern is what if you are using one of their doh IPs that they list - and you don't want to use doh? Because sure doh is more secure - its also freaking SLOWER!!! Guess the take is if your worried about dns speed or being able to see what is being queried from your local clients - you would use a local dns.

                                                While they currently only list quad9, cloudflare and google for doh servers. Who wants to bet that MS has their own doh up and running before this goes live? ;)

                                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                If you get confused: Listen to the Music Play
                                                Please don't Chat/PM me for help, unless mod related
                                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                DaddyGo 1 Reply Last reply Reply Quote 0
                                                • T
                                                  Tzvia @DaddyGo last edited by

                                                  @DaddyGo All these DNS providers, dangling this 'carrot'. Eat this one, it's more secure than that one... Free. My mom taught me that when someone says free, run away. It seems that no one is taught that anymore these days... But I digress. I agree with johnpoz, MS will have something, just wait. Genuine MS DNS servers doing DOH. Collecting market data they can cash in on. Nobody does something expensive for free. But as long as the OS abides by what I set for DNS servers, I'm good. And it looks like it will.

                                                  It looks like you are using Firefox. I would be more concerned with that, because it can use its own DNS and DOH and ignore what you have set in the OS. This is more worrisome than Windows DOH IMO. How dare they ignore what I have set on my computer. You can imagine parents who have set one of those DNS server services that block adult stuff, only to discover that the child's browser is not using it.

                                                  Tzvia

                                                  Current build:
                                                  Qotom-Q555G6 Core i5 7200
                                                  8 gigs ram
                                                  64gig MSATA
                                                  PFSense 2.60-RELEASE
                                                  Snort
                                                  PFBlockerNG-Devel

                                                  DaddyGo 1 Reply Last reply Reply Quote 1
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                    @Tzvia said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                    You can imagine parents who have set one of those DNS server services that block adult stuff, only to discover that the child's browser is not using it.

                                                    That is great example of this doh shit can shoot you in the foot for sure..

                                                    The browsers and other apps doing this is WAY worse than the OS supporting it.. So if the OS supports it - you think the browsers will adhere to using what your OS is using vs their own circumvention of the users wishes of using what dns they want?

                                                    And that is opt out vs opt in total utter BS!!! I don't care how freaking stupid they think the users are - we are doing this for their own good my f'ing ASS!!!!!

                                                    Its not spying on where your going - if you ask me for dns ;)

                                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                    If you get confused: Listen to the Music Play
                                                    Please don't Chat/PM me for help, unless mod related
                                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                    1 Reply Last reply Reply Quote 1
                                                    • DaddyGo
                                                      DaddyGo @johnpoz last edited by DaddyGo

                                                      @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                      Where does it state that is will on by default..

                                                      Since we have been MS partner and insider for almost 15 years.
                                                      I called our contact person at the support group, here I got this information and point at the end of the sentence.
                                                      Since I also asked if it could be turned off in the registry, i got this link where it is strongly highlighted that it will not be possible to do so!

                                                      I’m just giving you data and I’m not arguing, so that’s it for me.
                                                      It’s all about projecting the future forward, so as not to be surprised, John let’s talk about from this then in half a year or maybe one...

                                                      The image (20H2 clean) can still be tried, I would only post anything after that...

                                                      +++edit:
                                                      I leave this machine hanging on a Wireshark and post some pcap files in a while to analyze and see...
                                                      right now this is most of what I do

                                                      Cats bury it so they can't see it!
                                                      (You know what I mean if you have a cat)

                                                      1 Reply Last reply Reply Quote 0
                                                      • DaddyGo
                                                        DaddyGo @Tzvia last edited by

                                                        @Tzvia said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                        dangling this 'carrot'. Eat this one, it's more secure than that one... Free.

                                                        Thanks for this mindful post, do you have your own opinion and experience?
                                                        I’m happy to give you the "image", you give it a try and talk about it...
                                                        Carrots what? cool 😁

                                                        Cats bury it so they can't see it!
                                                        (You know what I mean if you have a cat)

                                                        1 Reply Last reply Reply Quote 0
                                                        • provels
                                                          provels last edited by

                                                          Sounds to me that though it's supported, it's not enforced. What would happen to those of us using the resolver and talking to the roots?

                                                          Peder

                                                          pfSense+ 22.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 4 GB RAM (Fixed), 8GB VHDX (Dynamic)
                                                          Packages : Cron, Mailreport, Notes, Nut, OpenVPN, pfBlockerNG-devel, RRD_Summary, Service Watchdog, System_Patches

                                                          DaddyGo 2 Replies Last reply Reply Quote 0
                                                          • DaddyGo
                                                            DaddyGo @provels last edited by DaddyGo

                                                            @provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                            Sounds to me that though it's supported, it's not enforced. What would happen to those of us using the resolver and talking to the roots?

                                                            This is exactly my concern, but since I have the information from an official source, I have no doubt.
                                                            We manage nearly 800 Win OP system licenses and even more Office suite licenses.

                                                            There’s direct contact at MS and it’s unbelievable, but that’s what they said on the phone.

                                                            The "mortals" 😉 will only get this "image" next year, via the system update, which will be mandatory (21H2).

                                                            This raises serious concerns.

                                                            in the meantime anything can happen, but I thought I would share this with you...

                                                            I don't know anything about the server side and AD background yet, but they will definitely have a great idea for that too.

                                                            but anyway, all my evidence for the operation of DoH is above, now I dive deeper and share it here.

                                                            I don't usually open a topic here in the forum, but I thought it was important, it is an annoying statement DoH and I am confused by it...

                                                            The fact that everyone is just talking about it, but no one dares to try this bastard "image", ergo we deny...

                                                            BTW:
                                                            what interest I would have to spread horror news, this is a concrete experience and curiosity of course 😉

                                                            Cats bury it so they can't see it!
                                                            (You know what I mean if you have a cat)

                                                            1 Reply Last reply Reply Quote 0
                                                            • johnpoz
                                                              johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                              @provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                              What would happen to those of us using the resolver and talking to the roots?

                                                              You have your windows machine resolving? You still point to something that is not a doh server even if you were.. You would point to loopback if you were running some resolving software on your windows machine.

                                                              I am for sure against this whole central dns nonsense - send us your dns queries, your isp is spying on you..

                                                              As no disable it.. Again to use doh have to point know the fqdn that is on the cert.. If I don't point one of the doh servers and I point to something else - how could it be using doh? If it looks up shit via doh while I specifically point to 192.168.1.1 - then yes that is the beginning of the end.. And I move to linux..

                                                              Its like the IPv6, you can not really disable it.. You can just not use it.. Even turning it "off" still leaves it enabled... That is how I think this doh support is going to work.

                                                              Guess we will see when 21H2 comes out - which isn't all that far from now..

                                                              BTW - give me a link to download it from, I will fire it up as a VM.

                                                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                              If you get confused: Listen to the Music Play
                                                              Please don't Chat/PM me for help, unless mod related
                                                              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                              DaddyGo 1 Reply Last reply Reply Quote 0
                                                              • provels
                                                                provels last edited by

                                                                So the fear is that MS/whoever and browsers will hardcode DoH servers and they'll bypass unbound by using 443? Other than being a bit slower, what would be the harm? Most any website uses an encrypted connection anyway. ISPs can't read encrypted traffic anyway. Or am I not paranoid enough? :)

                                                                Peder

                                                                pfSense+ 22.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 4 GB RAM (Fixed), 8GB VHDX (Dynamic)
                                                                Packages : Cron, Mailreport, Notes, Nut, OpenVPN, pfBlockerNG-devel, RRD_Summary, Service Watchdog, System_Patches

                                                                S 1 Reply Last reply Reply Quote 0
                                                                • johnpoz
                                                                  johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                                  @provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                                  and they'll bypass unbound

                                                                  That is the concern yes.. I can filter, I can split dns when you point to my own dns. If you bypass I have to trust what that is - I can not resolve..

                                                                  How do I even resolve my own local resources if your pointing to something on the public.. So I can not even resolve host.localdomain.tld if your going to ask some doh server on the public internet - even if I point to local dns.

                                                                  The encryption or being slower not all that big of concern - but they deciding that they should bypass what I as the system owner and network operator set for my clients to use is the big issue here.

                                                                  If you encrypt what is being asked - I can not even tell what is even being asked... Even from my own machine.

                                                                  If they want to enable the possibility of using doh, that is fine - the concern is doing it without my explicit consent to do so... Maybe I don't want app xyz to be able to resolve something.. Yet again taking control away from the operator if you bypass what I say to use for dns, or use something else for any sort of lookups..

                                                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                  If you get confused: Listen to the Music Play
                                                                  Please don't Chat/PM me for help, unless mod related
                                                                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                  provels 1 Reply Last reply Reply Quote 1
                                                                  • S
                                                                    SteveITS @provels last edited by

                                                                    The MS article posted (from last spring) said it would only apply if certain DNS servers were configured. Doesn’t sound like that’s the case per the OP.

                                                                    Down sides: 1) bypass any restrictions (malware detection, adult sites, betting, sports, whatever employees shouldn’t do on company time), 2) hopefully won’t bypass company network DNS (Windows domain, split DNS), 3) entities providing it get data from what web sites are visited (like Google DNS), and 4) no local DNS caching.

                                                                    Steve

                                                                    Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
                                                                    When upgrading, let it finish. Allow 10 minutes or more depending on packages and device speed.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • provels
                                                                      provels @johnpoz last edited by

                                                                      @johnpoz
                                                                      It seems then that there would be plenty of web security gateway providers who would be against this, as well as all of corporate world.

                                                                      Peder

                                                                      pfSense+ 22.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 4 GB RAM (Fixed), 8GB VHDX (Dynamic)
                                                                      Packages : Cron, Mailreport, Notes, Nut, OpenVPN, pfBlockerNG-devel, RRD_Summary, Service Watchdog, System_Patches

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • johnpoz
                                                                        johnpoz LAYER 8 Global Moderator last edited by

                                                                        Yeah I don't see how MS corp customers would be happy about this at all..

                                                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                        If you get confused: Listen to the Music Play
                                                                        Please don't Chat/PM me for help, unless mod related
                                                                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                        1 Reply Last reply Reply Quote 1
                                                                        • provels
                                                                          provels last edited by

                                                                          At any rate, I read Unbound 1.12.0 now supports DoH.
                                                                          So if someone gets bored this weekend...

                                                                          Peder

                                                                          pfSense+ 22.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 4 GB RAM (Fixed), 8GB VHDX (Dynamic)
                                                                          Packages : Cron, Mailreport, Notes, Nut, OpenVPN, pfBlockerNG-devel, RRD_Summary, Service Watchdog, System_Patches

                                                                          Gertjan DaddyGo 2 Replies Last reply Reply Quote 0
                                                                          • johnpoz
                                                                            johnpoz LAYER 8 Global Moderator last edited by

                                                                            What is the point of running doh locally - really?? Other than as a way to satisfy something that wants to use doh. So if I use a local doh, it wont use a public one. This seems more like a way to try and get people to thinking that dns needs to be encrypted.

                                                                            Doh nor Dot actually does what they say it does anyway - it doesn't hide where you go from the bad old isps being able to spy.. It just changes how they have to go about it. They still see what IP you are going to, until everything and everywhere supports encrypted sni.. They can see where your going in the https handshake..

                                                                            In what scenario is a local network hostile to the point that would make any sense to encrypt your local dns, and slow it down as well.

                                                                            What is the extra resources in cpu cycles to have say 100 clients resolve stuff over normal dns, vs 100 clients all doing encryption and the extra cpu cycles the nameserver has to expend to support.

                                                                            I just really can not think of a use case for running a local doh server..

                                                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                            If you get confused: Listen to the Music Play
                                                                            Please don't Chat/PM me for help, unless mod related
                                                                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • Gertjan
                                                                              Gertjan @provels last edited by Gertjan

                                                                              @provels said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                                              this weekend...

                                                                              Because this weekend all the root-, tld-, domain- and name servers will support it also ?
                                                                              Would be nice.
                                                                              My domain name servers (bind) are ready to go.

                                                                              Would be the end of forwarding. Great. Yet another ancient 'setup' that can be buried. DNS would become so complex that know-body touches the default (pSense) settings any more. No more DNS questions : it just plain works out of the box (actually, DNS works out of the box RIGHT NOW but then the admin logged in and well ... checkout this forum to see what happened).
                                                                              Nicely resolving over 853. Everything hidden (TLS). Everything authenticated (DNSSEC).
                                                                              What the heck : even certs can be checked using DNS (DNSSEC).

                                                                              I get the bubbles ready.

                                                                              Where are the two nuclear power plants for compensating the extra power consumption ?

                                                                              No "help me" PM's please. Use the forum.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • DaddyGo
                                                                                DaddyGo @johnpoz last edited by DaddyGo

                                                                                @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                                                BTW - give me a link to download it from, I will fire it up as a VM.

                                                                                I am already working on a longer observation test environment and will be monitoring this machine (20H2 fresh) continuously...but I also have to do my concrete job...

                                                                                so our ISP is not spying on us :), it is an enterprise network with 3 pcs. 10 Gig optical lines running and serving our radio stations centrally, we have an individual contract with the ISP, who is otherwise the national BIX

                                                                                soon I will send the link in PM...THX
                                                                                (pls note that, this is a Hungarian "image" by default)

                                                                                as I would like to note, this machine (20H2) works alongside another 57 windowsmachines and it is only on this that we experience this issue
                                                                                (I did not install it in my room at home..:)

                                                                                +++edit:
                                                                                @johnpoz - Thanks for the positive attitude, maybe it turns out what the hell is going on...

                                                                                Cats bury it so they can't see it!
                                                                                (You know what I mean if you have a cat)

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • johnpoz
                                                                                  johnpoz LAYER 8 Global Moderator last edited by

                                                                                  Can the interface be set to english - I'm going to have a difficult time if the interface is in Hungarian ;) hehehe

                                                                                  I can prob muddle through - not like the icons change, that sort of thing.. But searching for stuff that is not english might be a bit painful like control panel etc..

                                                                                  When it comes to the nonsense that is doh, its hard to have a positive attitude to be honest.. I don't care if they want to offer it.. But turning it on by default in browsers is HORRIBLE.. If they attempt to do the same thing in the OS.. Its the just the end to be honest.. It is the wrong direction to be going.. Forcing the use of central dns is NOT the correct direction for privacy or security.

                                                                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                                  If you get confused: Listen to the Music Play
                                                                                  Please don't Chat/PM me for help, unless mod related
                                                                                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                                                                  DaddyGo 1 Reply Last reply Reply Quote 1
                                                                                  • DaddyGo
                                                                                    DaddyGo @johnpoz last edited by

                                                                                    @johnpoz said in MS activated DoH at the operating system level, in this "great" 20H2 release...?!:

                                                                                    Can the interface be set to english - I'm going to have a difficult time if the interface is in Hungarian ;) hehehe

                                                                                    I think yes :), although I haven't tried...
                                                                                    the installer offers the language selection option in the begining

                                                                                    since I want to be faithful to the environment, I didn't download the english image

                                                                                    but if you can't choose a language, let me know and I'll give you an English version

                                                                                    I hope it also produces these stupid things in the same way...

                                                                                    and it wasn't just for the Hungarians who intended this stupid DoH stuff, the stupid situation in the country is enough for us... hahaha
                                                                                    (I don't live there but I care what's going on)

                                                                                    @johnpoz "If they attempt to do the same thing in the OS.. "
                                                                                    it really is not possible to take a positive approach to this... yes
                                                                                    this would take control out of the hands of the sysadmins and a lot of other shit

                                                                                    Cats bury it so they can't see it!
                                                                                    (You know what I mean if you have a cat)

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post