Comment by jsiepkes
1 day ago
Same goes for if you have an IoT device behind a corporate firewall and you are being forced to use a enterprise DNS server running on some Cisco or Juniper device which doesn't respect TTL's, filters TXT records, etc.
1 day ago
Same goes for if you have an IoT device behind a corporate firewall and you are being forced to use a enterprise DNS server running on some Cisco or Juniper device which doesn't respect TTL's, filters TXT records, etc.
A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.
> A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.
DoH is simply HTTPS traffic as far as a firewall is concerned so how are you going to block or decrypt it?
If you take it a step further and you are running a DoH server on the same place where the API endpoints (REST, gRPC or whatever) for your IoT device are running no one is going to see the anything but HTTPS traffic
HTTPS decryption in corporate environments is standard. Have a corporate root CA, install certs on endpoints, and man-in-the-middle the network traffic.
The hope is we eventually get enough things like DoH and ECH that it stops being feasible for corporate policies to block things.
Ah, are you a data exfiltrator or a ransomware operator? I jest.
I think the network as a chokepoint will slowly go away due to improvements in cryptography, and we'll need the endpoint to do all the inspection and enforcement.
2 replies →