DoH blocking by way of rep_mime_type directive
-
Hello fellow Netgate Community Members,
I have researched and found you can block all DoH by way of rep_mime_type with Squid Proxy package. I have tested this and it does block it, again services like Microsoft Teams will have issues so you much add a teams bypass. No need for any list at all as this way it looks at the rfc
anyway this is the acls
acl deny_rep_mime_doh rep_mime_type application/dns-message acl deny_rep_mime_doh rep_mime_type text/dns acl deny_rep_mime_doh rep_mime_type application/dns+json http_reply_access deny deny_rep_mime_doh acl doh_rfc8484 urlpath_regex -i ^/dns-query acl doh_rfc8484 urlpath_regex -i dns= acl doh_rfc8484 urlpath_regex -i ^/resolve acl doh_group any-of deny_rep_mime_doh doh_rfc8484 http_access deny doh_groupAlso
acl terminate_group any-of deny_rep_mime_doh doh_rfc8484After you can add to your custom peek bump lists depending on your system.
acl active_use annotate_client active=true ssl_bump peek step1 ssl_bump terminate terminate_group miss_access deny no_miss active_use ssl_bump splice splice_main active_use ssl_bump bump bump_main active_use acl activated note active_use true ssl_bump terminate !activatedRef:
https://www.iana.org/assignments/media-types/application/dns-message
https://www.iana.org/assignments/media-types/application/dns+json
https://wiki.squid-cache.org/ConfigExamples/BlockingMimeTypes
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.