Comment by jsiepkes
18 hours ago
Same goes for if you have an IoT device behind a corporate firewall and you are being forced to use a enterprise DNS server running on some Cisco or Juniper device which doesn't respect TTL's, filters TXT records, etc.
A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.
The hope is we eventually get enough things like DoH and ECH that it stops being feasible for corporate policies to block things.
Ah, are you a data exfiltrator or a ransomware operator? I jest.
I think the network as a chokepoint will slowly go away due to improvements in cryptography, and we'll need the endpoint to do all the inspection and enforcement.
2 replies →