Comment by nickburns
5 months ago
I'm referring to devices and apps that are 'hard-coded' to query specific DoH servers/providers, therefore bypassing and regardless of any user-configured DNS server/s. And because DoH operates on outbound TCP/443, the lookups are indistinguishable from any other 'web' traffic.
Even some of the most popular desktop web browsers are configured to utilize DoH by default nowadays.
The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers and NAT all outbound 53 (and 853) traffic to a desired resolver (like a local Pi-hole instance, for example).
> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...
A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.
This is something I implemented for an Android firewall app I co-develop; it works nicely enough.
Is that true? Per what spec are you referring to?
ignoramous probably meant that in order to block access to all IP addresses that it has not recently resolved, the firewall must also host or communicate closely with a resolver. This is a tautology, not a spec.
1 reply →
what app?
https://github.com/celzero/rethink-app