Doh and chat gpt
-
The next world war should be a hoot!
-
https://redmine.pfsense.org/issues/14558
I mean there has to be a way to make doh work and clients use pfSense to resolve doh
Make sure to upvote
-
https://forum.netgate.com/topic/195948/mime-type-for-doh
It can be parsed in traffic
-
@JonathanLee said in Doh and chat gpt:
I mean there has to be a way to make doh work and clients use pfSense to resolve doh
Unbound ... using Using DoH implies that the pfSense GUI, also listening on port 443, TCP, has to 'go elsewhere'. Hummm ...
This nghttp2 library, and all it's dependencies (!) has to be included / compiled in.Just so I understand this feature request : local DoH would be nice if you can't trust your local LANs, right ? This would be your own cables and Wifi links ... That's why ?
How does the LANs client side work ? This won't be 'plug and play'. There is, imho, no such thing as 'tell the DHCP server to tell de DHCP client that there is a DoH DHCP option' which means that every DoH has to be setup 'manually = manual DNS DoH setup for every device.
@JonathanLee said in Doh and chat gpt:
https://forum.netgate.com/topic/195948/mime-type-for-doh
Wait ...
You want DoH ?
Or you don't want (block), DoH ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan it’s a test I can block and spot the DoH with Squid fully if you block all so many windows 11 items stop working. It’s a fun test to play with from a cyber security perspective.
-
@Gertjan does any rfc like
RFC8484 exist info on how to do that -
RFC8484 = DoH.
How to do what ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan no…. If one exists for using using your own doh server… like regular dns resolvers where you can tell a device stop using unlimited unknown doh services only use this one… there has to be something
-
@Gertjan “In January 2021, NSA warned enterprises against using external DoH resolvers because they prevent DNS query filtering, inspection, and audit. Instead, NSA recommends configuring enterprise-owned DoH resolvers and blocking all known external DoH resolvers.[48]”
…..Enterprise owned DoH resolvers ??? meaning there is one out there for how to do this.
Ref https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2471956/nsa-recommends-how-enterprises-can-securely-adopt-encrypted-dns/
It is safe to say that that if they recommend to do this there is a way and Unbound DNS resolver has ways to do it but how do you make sure your clients are configured to only use that one DoH server? That is where some RFC# has got to come on because currently there is no settings on iMac or on Windows etc and or browsers to lock down to a single DoH if there is a RFC there might be a way
I mean look at this small list ...
jp.tiar.app dns.nextdns.io captnemo.in example.doh.blockerdns.com doh.securedns.eu dns.dns-over-https.com firefox.dns.nextdns.io mozilla.cloudflare-dns.com doh.dns.apple.com i.233py.com opencdn.jomodns.com dns.233py.com edns.233py.com ndns.233py.com sdns.233py.com wdns.233py.com dns-gcp.aaflalo.me dns-nyc.aaflalo.me dns.aaflalo.me doh.abmb.win dns.adguard.com dns-family.adguard.com dns-unfiltered.adguard.com dns.adguard-dns.com family.adguard-dns.com unfiltered.adguard-dns.com doh.nl.ahadns.net doh.in.ahadns.net doh.la.ahadns.net doh.ny.ahadns.net doh.pl.ahadns.net doh.it.ahadns.net doh.es.ahadns.net doh.no.ahadns.net doh.chi.ahadns.net dot.nl.ahadns.net dot.in.ahadns.net dot.la.ahadns.net dot.ny.ahadns.net dot.pl.ahadns.net dot.it.ahadns.net dot.es.ahadns.net dot.no.ahadns.net dot.chi.ahadns.net dnsnl.alekberg.net dnsse.alekberg.net dns.alidns.com doh.appliedprivacy.net doh.applied-privacy.net dot1.applied-privacy.net doh.armadillodns.net dohtrial.att.net doh1.blahdns.com doh2.blahdns.com doh.bortzmeyer.fr dns.brahma.world free.bravedns.com bravedns.com doh.captnemo.in canadianshield.cira.ca family.canadianshield.cira.ca private.canadianshield.cira.ca protected.canadianshield.cira.ca dns.cloudflare.com cloudflare-dns.com 1dot1dot1dot1.cloudflare-dns.com family.cloudflare-dns.com mozilla.cloudflare-dns.com security.cloudflare-dns.com cloudflare-gateway.com doh.cleanbrowsing.org security-filter-dns.cleanbrowsing.org adult-filter-dns.cleanbrowsing.org family-filter-dns.cleanbrowsing.org dns.cmrg.net commons.host dns.containerpi.com doh.crypto.sx jit.ddns.net dns.decloudus.com doh.defaultroutes.de dns.developer.li dns2.developer.li dns.digitale-gesellschaft.ch dns1.digitale-gesellschaft.ch dns2.digitale-gesellschaft.ch doh.disconnect.app ns1.recursive.dnsbycomodo.com ns2.recursive.dnsbycomodo.com dnsforge.de dns.google dns64.dns.google dns.dnshome.de dns1.dnscrypt.ca dns2.dnscrypt.ca doh.dns.sb public-dns-a.dns.sb public-dns-b.dns.sb doh.dnslify.com a.ns.dnslify.com b.ns.dnslify.com a.safe.ns.dnslify.com b.safe.ns.dnslify.com a.family.ns.dnslify.com b.family.ns.dnslify.com dns.dnsoverhttps.net doh.dnswarden.com doh.li doh.ffmuc.net dot.ffmuc.net rdns.faelix.net pdns.faelix.net dns.flatuslifir.is dns.google.com google-public-dns-a.google.com google-public-dns-b.google.com query.hdns.io ordns.he.net dns.hostux.net opennic.i2pd.xyz public.dns.iij.jp jcdns.fun us1.dns.lavate.ch eu1.dns.lavate.ch resolver-eu.lelux.fi doh.libredns.org dot.libredns.gr.com dot.libredns.gr doh.libredns.gr adblock.mydns.network dns.neutopia.org dns.aa.net.uk dns.nextdns.io dns1.nextdns.io dns2.nextdns.io odvr.nic.cz lv1.nixnet.xyz ny1.nixnet.xyz lux1.nixnet.xyz dns.njal.la doh.opendns.com doh.familyshield.opendns.com doh.sandbox.opendns.com resolver1.opendns.com resolver2.opendns.com resolver1-fs.opendns.com resolver2-fs.opendns.com dns.oszx.co a.passcloud.xyz i.passcloud.xyz doh.post-factum.tk doh.powerdns.org rpz-public-resolver1.rrdns.pch.net dns.pumplex.com dns.quad9.net dns9.quad9.net dns10.quad9.net dns11.quad9.net dns12.quad9.net dns13.quad9.net dns-nosec.quad9.net dns.rubyfish.cn ea-dns.rubyfish.cn uw-dns.rubyfish.cn rumpelsepp.org dns1.ryan-palmer.com doh.seby.io doh-2.seby.io dot.seby.io dnsovertls.sinodun.com dnsovertls1.sinodun.com dnsovertls2.sinodun.com dnsovertls3.sinodun.com fi.doh.dns.snopyta.org fi.dot.dns.snopyta.org dns.switch.ch ibksturm.synology.me dns.t53.de dns.therifleman.name doh.tiar.app dot.tiar.app doh.tiarap.org jp.tiar.app jp.tiarap.org dns.twnic.tw dns.wugui.zone dns-asia.wugui.zone adfree.usableprivacy.net doh.xfinity.com dns.sb 8888.google chromium.dns.nextdns.io doh.quickline.ch doh-02.spectrum.com doh-01.spectrum.com mask.icloud.com mask-h2.icloud.com dandelionsprout.asuscomm.com basic.rethinkdns.com max.rethinkdns.com anycast.dns.nextdns.io token.safebrowsing.apple mask.apple-dns.net ussjc1.mask.apple-dns.net global-wrr.mask.apple-dns.net north-america-mask.wrr.mask.apple-dns.net dns.mullvad.net adblock.dns.mullvad.net base.dns.mullvad.net extended.dns.mullvad.net family.dns.mullvad.net all.dns.mullvad.net doh.opendns.com doh.familyshield.opendns.comIt just gets bigger and bigger this is a big need on pfsense for unbound to have DoH abilities as protocol and procedures are developed in depth... can't drop the ball, the NSA is making recommendations for DoH I mean that is how serious it is. Obscurity and polymorphism within DoH are creating a market niche and the need to find a solutions to this. It is complex.
Ref: https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html
Unbound does have an ability to configure it but how do you lock down the system to force use of it …
-
@JonathanLee said in Doh and chat gpt:
Unbound does have an ability to configure it but how do you lock down the system to force use of it …
That would be a question for the OS people, not pfsense.. Pfsense has no method of forcing a OS to do anything.. You can block network stuff. If you want to look how to lock windows to using a specific doh server - then look to gpo, or ask ms.. Or apple if its a macOS, etc.
-
@johnpoz What I’m trying to get at is this: it feels like we aren’t given the tools we really need on the client side, but PFSense does give us the tools to block those same capabilities from being used. It ends up becoming a cat-and-mouse game rather than a clean, unified solution.
Ideally, there should just be a single, straightforward approach—“use this for DoH”—and since PFSense already supports DoH, we should simply let PFSense manage all outbound DoH instead of having to chase it down on every client.But we can’t and the NSA recommends we do. Yes a client problem but unbound can do doh
Make sure to upvote
-
@JonathanLee yeah unbound can do doh - I had a post awhile back that showed how to do it, you even chimed in on the thread.
that is not a problem - the problem is you can not force a and OS to use what you want.. There is zero reason to use dot or doh on your own secure local network..
Doh has been problem since day one.. That some app can use another dns then the one you tell the OS to use is going to be problematic..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
@JonathanLee DoH does not work like you apparently think it does. The best you can really do to block it, which you should be doing, is DNSBL and IPBL known-DoH providers.
Your DNS forwarder or caching stub resolver (meaning dnsmasq or Unbound) should be configured to only query a trusted DoT provider (or providers) of your choosing.
-
@tinfoilmatt Yes exactly that is why I was wondering where the RFC was to perform the NSA recommendations, hence to use only an approved DoH outbound, it's not currently possible and we are given no options to do so. If there was an RFC to control the DoH outbound maybe we could do that. Again to have DoH working in unbound might give us an advantage as it would be under development for if and when they have and ability to do the "NSA" based recommendations.
-
@JonathanLee Let me try a different way: you do not want to be using, nor do you want any of your devices to be using DoH whatsoever.
-
@johnpoz I cant agree more with you, I guess my question is why would the NSA recommend we do that "use a single enterprise based DoH server when required" its not possible and if they recommend it where is the RFC to be able to do this? There is none that I know of anyway, also IDS I think does not have a category to alert on DoH use too, so it's like the NSA making a recommendation that has no possible solution currently outside of the wackamole solution.
-
@JonathanLee The NSA is recommending that, in a large enough enterprise where LAN segments are susceptible to sniffing from the inside, that DoH be implemented for local (meaning local to the enterprise LAN) network host DNS queries.
-
This assumes that the network operator/s or admin/s would continue to maintain full visibility over DNS traffic (in plaintext) on the LAN.
-
@tinfoilmatt But they are also making references to command and control over DoH externally, meaning outbound also right? I mean internally we could set it up with Unbound @johnpoz and I talked about this a couple years ago, requires some certificates, but outbound has no real catch all solution, outside of MIME blocking on get requests, again once you do this Microsoft goes crazy because they have some ones they want left alone.
-
@JonathanLee I believe they refer to the fact that malicious actors operating C2 servers are able to conceal LAN activity by designing their malware to query DoH servers under their control. To the LAN operator, this traffic would appear to simply be regular ol' HTTPS (and therefore encrypted) traffic.
