Comment by ignoramous
5 months ago
> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...
A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.
This is something I implemented for an Android firewall app I co-develop; it works nicely enough.
Is that true? Per what spec are you referring to?
ignoramous probably meant that in order to block access to all IP addresses that it has not recently resolved, the firewall must also host or communicate closely with a resolver. This is a tautology, not a spec.
Ah, I definitely misread. Thanks!
what app?
https://github.com/celzero/rethink-app