zlacker

[return to "The FBI now recommends using an ad blocker when searching the web"]
1. Tactic+ra[view] [source] 2023-02-23 21:39:25
>>taubek+(OP)
Here are a few things I do to combat nasty websites:

- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)

- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules

- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.

I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).

EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.

◧◩
2. giobox+yk[view] [source] 2023-02-23 22:25:23
>>Tactic+ra
While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem, as ultimately all you can really do is use domain blacklists at your firewall. It's no longer as straight forward as just control port 53 traffic, not like you can realistically shut down 443... Blocking DoH is largely whack-a-mole and I think is only going to get worse as this and similar techniques spread. There are so many sneaky ways to resolve a hostname an app or device can choose to use now.

You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.

◧◩◪
3. JohnFe+UE[view] [source] 2023-02-24 00:11:40
>>giobox+yk
> killing DoH conclusively on your home network is more difficult than you've made it seem

True.

I had to install a system to MITM all my https traffic in order to block DoH requests.

◧◩◪◨
4. dngray+Bh1[view] [source] 2023-02-24 05:27:20
>>JohnFe+UE
> killing DoH conclusively on your home network is more difficult than you've made it seem

It's actually not too difficult if your users use Firefox. You can use enterprise policies https://support.mozilla.org/en-US/products/firefox-enterpris...

   /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
    * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
    * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
    * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
    * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
    * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
    * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
      // user_pref("network.trr.mode", 5);
It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.
◧◩◪◨⬒
5. JohnFe+Cv2[view] [source] 2023-02-24 16:03:36
>>dngray+Bh1
That only affects things that use the browser's facilities to engage in DoH. A web page could decide not to do that, and manufacture their own lookups using JS, for instance.
[go to top]