zlacker

Here are a few things I do to combat nasty websites:

- blacklists entire domains using wildcards (using an "unbound" DNS resolver and forcing all traffic to my DNS resolver, preventing my browser to use DoH -- I can still then use DoH if I want, from unbound)

- reject or drop a huge number of known bad actors, regularly updated: they go into gigantic "ip sets" firewall rules

- (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.

I do not care about what this breaks. The Web still works totally fine for me, including Google's G Suite (yeah, I know).

EDIT: just to be clear seen the comments for I realize I wasn't very precise... I'm not saying all IDN domains are bad! What I'm saying is that in my day to day Web surfing, 99.99% of the websites I'm using do not use IDN and so, in my case, blocking IDN, up until today, is totally fine as it not only doesn't prevent me from surfing the Web (I haven't seen a single site I need breaking) but it also protects me from IDN homograph attacks. Your mileage may vary and you live in a country where it's normal to go on website with internationalized domain names, then obviously you cannot simply drop all UDP packets attempting to resolve IDNs.

>>Tactic+(OP)
The last one is very anglo-centric (or at least centric to fully latinized languages). Do you not find the rules[0] in for example chrome working?

[0]: https://chromium.googlesource.com/chromium/src/+/main/docs/i...

>>Tactic+(OP)
Steven Black runs a hosts file on GitHub with regular updates. https://github.com/StevenBlack/hosts

There are a bunch of file variants to weed out specific bad actors.

It's well currated though I will disclaimer it has broken a few websites in the past for me. Maybe that's a good thing.

>>Tactic+(OP)
What’s an IDN and what does blocking them help with?

>>Tactic+(OP)
While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem, as ultimately all you can really do is use domain blacklists at your firewall. It's no longer as straight forward as just control port 53 traffic, not like you can realistically shut down 443... Blocking DoH is largely whack-a-mole and I think is only going to get worse as this and similar techniques spread. There are so many sneaky ways to resolve a hostname an app or device can choose to use now.

You can force traditional port 53 DNS protocol traffic to your own resolver with firewall rules, the same doesn't work for DoH. a DoH request to a domain your firewall blacklist doesn't have looks just like ordinary https/443 traffic and will pass unhindered.

>>cgb223+59
Mainly homoglyphs. Characters that LOOK like Latin characters but aren't. Scammers register domains to make it look like at a glance you're visiting a reputable site.

It's why many browsers started defaulting to showing "xn--<whatever>" (punycode representation of IDN characters).

It sucks for domains that are emoji but whatevs. Scammers ruining things for everyone, as usual.

>>cgb223+59
International domain name - blocking them prevents look alike URLs from working. But also, IMO, this is bad advice for anyone who uses not English as a language...

>>SahAss+46
I'm not even a native english speaker and my native language does have accentuated characters so there's that...

I don't like to have to set rules in browsers: I'll do it when mandatory but I prefer things that the browser won't change during it's next update and, also, I use several browsers.

>>giobox+7a
> While these are all good practices, killing DoH conclusively on your home network is more difficult than you've made it seem

Oh I know but so far you can still ask both Firefox and Chromium to not use DoH and hence force them to use port 53 and from what I've seen they really honor that. For the moment.

I don't doubt that in a not so distant future we may see companies hardcoding DoH into apps without any possibility of removing that setting!

What I do is no panacea but it gets rid of a lot of things.

> There are so many sneaky ways to resolve a hostname an app or device can choose to use now.

But I whitelist apps that can connect to the net. Browsers, apt (for Debian/Devuan package update), the one that update the NTP/time, SSH out and that's basically it.

I know it's a game of whack-a-mole, but I'm still playing it : )

>>giobox+7a
Blocking DoH is largely whack-a-mole

Maybe this is so but I have yet to see it. AFAIK all the DoT/DoH are on known dedicated IP addresses. I know they don't have to be. They could be on generic Akamai/CF/BunnyCDN/etc... end points but I have yet to come across one utilized in the wild. Have you found any? What are their IP addresses? I would like to add them to my DNS timing/monitoring scripts.

I null route about 24 DoT/DoH IP addresses and my one smartphone seemed to figure out automagically that my router was serving up DoT on 853. I can tell if something is bypassing Unbound because there are things I know should not resolve correctly.

>>eurtic+66
I use https://oisd.nl/ which has reasonably curated list on my router with unbound. Works pretty good.

>>giobox+7a
This is exactly why DoH is a trojan horse. You can't control it as a network administrator, all it takes is a piece of software to simply remove the controls for users to configure their own DoH and bam, end user has little to no control over how their applications perform name resolution.

Little pro-tip for anyone who tries to run their own private DoH infrastructure too, Firefox doesn't like RFC1918 addresses for the DoH resolver. Set `network.trr.allow-rfc1918=true` if you run DoH on a private IP.

>>giobox+7a
But:

1. couldn’t you “just” (yea yea I know) install a cert on all your devices and force all 443 traffic though a proxy (like some corporate networks do)?

2. (Something I’ve been meaning to get around to trying for a while) default-block outgoing connections unless unless the external host was recently resolved for the corresponding internal host via your internal resolver? That seems like it would kill anything that tries to avoid your ad-blocking resolver. It seems like that might block hard-coded addresses too, but that could be a good thing..

>>denkmo+Fm
> You can't control it as a network administrator

That’s the design intent. Because not all network administration is benign.

DoH is a tool like any other. Good or bad entirely on why and how it’s used. And your own perspective on that use case.

>>giobox+7a
> killing DoH conclusively on your home network is more difficult than you've made it seem

True.

I had to install a system to MITM all my https traffic in order to block DoH requests.

>>noizej+Cs
But when the network is mine, and I'm the administrator, anything that prevents me from seeing what's happening is a Bad Thing.

DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.

> DoH is a tool like any other. Good or bad entirely on why and how it’s used.

Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.

DoH is a plague.

>>LinuxB+Lh
> I have yet to come across one utilized in the wild

How would you be able to tell?

>>buildb+1c
If there's any non-English-speaking culture that embraced IDNs, I'd love to hear it. E.g. in my experience as a Russian speaker, Cyrillic very rarely shows up in domain names for legitimate websites, and correlates strongly with malware.

>>Tactic+(OP)
what's the advantage of DoH?

I personally use Timescale magicDNS on all my devices, with pihole DNS running on a home server. The magicDNS can make my home server the 1st responder for DNS queries and it'll block a lot of ad domains.

>>labcom+xp
> force all 443 traffic though a proxy

That's insufficient. There's nothing stopping a web site (or ad on a website) from forming its own DoH request that bypasses the browser and the port. It can be done entirely within the HTTPS stream.

>>giobox+7a
DoH uses UDP, not TCP. Unless you're using HTTP3/QUIC, you can block port 443/UDP.

And hey, maybe one day advertisements will be served directly via IP addresses, not domains:)

>>labcom+xp
The biggest problem with 1) is that you lose the ability for your browser to perform checks on the certificate. If the certificate fails, the only option is to deny the connection. (Or fake it and return an error page but that can have unintended consequences.)

And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.

>>JohnFe+gv
I confine everything on my network and if anything is able to resolve any one of the sanctioned countries or if the domains I override resolve to their correct address I will see it. I can only think of one opaque device I have that could even try to do that but I know it doesn't because I have to unblock .cn to get vehicle updates for it. I should add that I do not let random IoT's onto my network and that vehicle diagnostic tool from China is only on my network about once per year for a few minutes. I should also add that I have fascist firewall rules for anything I do not trust and all new SYN packets are logged. DoT and DoH use TCP.

>>Tactic+(OP)
I venture onto the Asian and Russian parts of the Internet semi-regularly, and in all these years I have seen perhaps one or two sites with IDN that were actually useful to me.

>>denkmo+Fm
> You can't control it as a network administrator

You can't control it as a malicious censor who's trying to control what Web sites other people's computers can access just because they're on your Wi-Fi. You can absolutely control it on computers that are actually yours.

>>JohnFe+Tu
> But when the network is mine, and I'm the administrator, anything that prevents me from seeing what's happening is a Bad Thing.

That's not true when the just the network itself is yours. It's only true when all of the computers on it are too.

> DoH opens me up to security problems that I wouldn't otherwise have, and the extent I have to go to in order to stop it is crazy.

What? No it doesn't.

> Except that it's a tool I have little control over, and no control over how and why it's used. That's the problem.

You're not supposed to be able to have control over what tools other people use on their own computers.

>>mmsc+Lx
> DoH uses UDP, not TCP.

It uses TCP.

>>Tactic+(OP)
I don't do any of that stuff and don't think I am running into nasty websites. What is it supposed to do?

I do uBlock origin with pretty standard lists and have a list of allowed persistent cookies. Are the uBlock lists doing all that work in the background?

>>denkmo+Fm
> You can't control it as a network administrator

Yes you can. Do what corporate firewalls do. MITM all TLS connections with your own personal CA. Don't allow any traffic streams that you can't MITM to leave your network.

>>Sophir+Rx
Those checks are then performed on the MITM device. Instead of an error page the device could return the same sort of page that your browser would otherwise display for you. The connection has been MITM'd after all.

>>mmsc+Lx
> DoH uses UDP, not TCP. Unless you're using HTTP3/QUIC, you can block port 443/UDP.

There's actually two protocols DNS over QUIC https://datatracker.ietf.org/doc/rfc9250/ which has a specific port 853. This can be blocked.

Then there is DNS over HTTP3 https://security.googleblog.com/2022/07/dns-over-http3-in-an...

>>JohnFe+tu
> killing DoH conclusively on your home network is more difficult than you've made it seem

It's actually not too difficult if your users use Firefox. You can use enterprise policies https://support.mozilla.org/en-US/products/firefox-enterpris...

   /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
    * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
    * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
    * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
    * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
    * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
    * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
      // user_pref("network.trr.mode", 5);

It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.

>>maxeri+zH
You're on the right track, perhaps take a look at https://www.privacyguides.org/desktop-browsers/#firefox that's really all.

>>int_19+Cv
The numbers agree. Only 69 Cyrillic domains (second-level) registered last year.

Chinese is the most popular, but only 760 for 2022 and the aggregate trend is down:

2016: 2378

2018: 2252

2020: 1675

2022: 1518

Internationalized Domain Name (IDN) Annual Report 2022

[1] https://www.icann.org/en/system/files/files/idn-annual-repor...

>>joseph+3E
If a malicious app on your system is using DoH, how can you control it? This is what GP was complaining about.

Of course, this is not the fault of DoH providers themselves - at worst, they have just made it easier to perform this.

>>JohnFe+Hx
If you're monitoring the HTTPS stream, you'll see it. The point of the proxy is exactly to inspect the content of HTTPS requests (that's why you need to install your own certificate).

>>srcrei+px
DoH was designed to prevent the network operators from interfering with or snooping on DNS. The stated purpose was to prevent your carrier or country from seeing which domains you access, and/or blocking you from accessing them. However, it also prevents devices like piHole from passively blocking ad requests as easily.

>>SahAss+46
Very few countries, even outside the anglosphere, use IDNs.

>>NetOpW+zb
Blocking domains with mixed character sets? Might be hard to come up with the rules. But legit sites should stick to one language mostly.

>>Sophir+Rx
A successful mitm with an injected trusted cert should appear 100% valid to the browser. That's the point. According to your device setup the connection has not been tampered because you as the device owner allowed a new root cert to be trusted.

The rest is just fear mongering, I'm sorry, not sure how to phrase that more elegantly or politely. I'm not an uber smart domain expert wrt certs, but we shouldn't have to be to know that valid device MITM with certs is a normal use case. And it shouldn't be used as a boogeyman man on layman users.

>>JohnFe+tu
Can you give any more detail on how you did this? Is squid the proxy? How does it know which traffic is doh? What do you do with those requests?

>>tsimio+Yh1
Because if it's your system, you can remove the malicious app from it.

And it's a good thing that DoH is easy, because it helps protect vulnerable people from censorship and surveillance.

>>Tactic+(OP)
> (I came up with this one): use a little firewall rule that prevents any IDN from resolving. That's a one line UDP rule and it stops cold dead any IDN homograph attack. Basically searching any UDP packet for the "xn--" string.

I couldn't see how to do this in Windows Firewall. Which OS/firewall/rule are you using?

>>tsimio+ei1
Yes, exactly. That's what I do -- I MITM all HTTPS streams for this purpose.

>>LinuxB+0y
You should consider filtering your HTTPS streams.

>>joseph+dE
> It's only true when all of the computers on it are too.

I was unclear. This is exactly the case I'm talking about. The network, and all of the devices on the network, are mine.

> What? No it doesn't.

It does. It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.

> You're not supposed to be able to have control over what tools other people use on their own computers.

Again, I'm talking about having control over my own machines, not anyone else's.

>>yubiox+W72
Yes, I've installed my own cert to negotiate HTTPS connections, then proxy through software to check the contents being sent.

Basically the same process that some companies use for similar purposes.

>>dngray+a71
That only affects things that use the browser's facilities to engage in DoH. A web page could decide not to do that, and manufacture their own lookups using JS, for instance.

>>JohnFe+Kj2
Funny you should mention that. I have a few Squid-SSL-Bump proxies that I use for a few devices. For several years I even used that to visit HN and to my surprise was rarely rate limited or blocked when accessing from a VPS. With Squid I can also make decisions on content types, file sizes and more. There are only a handful of sites it doesn't work with because they for whatever reason are still using public key pinning. A few google sub-domains, eff.org, paypal but interestingly no banks.

This only works with devices that I can install my own CA key onto. I have not figured out how to do that with the vehicle diagnostic tool.

>>JohnFe+sk2
> It makes it easier for bad actors -- mostly advertising networks -- to bypass my DNS filtering. They can do it all with their own code, encrypted through HTTPS to hide it, and never touch my DNS systems, nor be affected by browser settings.

If that makes DoH bad, then privacy is bad too since it makes it easier for terrorists and pedophiles to evade the law.

>>JohnFe+Xk2
This response is just handwaving and avoids the question. Why even bother?

>>ddeck+gc1
Oh wow, that is super interesting data!!! Thanks for sharing

>>mmsc+Lx
There's nothing stopping you just making your own REST API and responding over HTTPS that returns hostname records for any service you build or run - it doesn't even need to use an existing DoH standard. These are exactly the sort of tricks stuff like IoT devices are already using to ensure they can phone home regardless of your network's DNS settings.

DoH is literally just "DNS over HTTPS" (hence the TCP a lot of the time) and you can build this a ton of different ways, including as a basic RESTful API. Local javascript on the page could literally just call any old HTTPS web API to get hostnames resolved, and thanks to HTTPS is much harder to detect, inspect and interfere with than traditional DNS. Fundamentally, a DNS request is a really basic API to implement.

This is why DoH is so hard to conclusively block - its by design to look like "normal" web traffic so bad actors are prevented from manipulating your DNS responses, and the implementation can be done pretty much anyway you want - there are a million different ways to pass a message over HTTPS, and to a firewall they all look like the exact same normal HTTPS traffic if you don't explicitly block the IP or domain serving the DoH.

>>dngray+L61
While these are two common standards, you can easily implement DoH almost anyway you want if you are building a service or device. Its just replying to a request for a hostname record over HTTPS fundamentally - it can be as simple as an extra REST API you run. The number of "protocols" here is effectively limitless. I cant stress enough how simple it can be - check the specs you linked, the example HTTP request/response for the DNS over HTTP3 example is really basic - you could build your own in less than an hour if you really wanted and understand how traditional DNS works.

There is no such thing as right or wrong way to do DoH so long as the DNS messages are passing over HTTPS - the standards are largely to help make it easier to deploy and avoid common pitfalls of course (simpler to integrate to browsers and other software "for free" if the message response body format is standardised), but devices, apps and even javascript in the browser are free to solve this anyway they want, with whatever kind of message payload they can dream up.

DoH is just an HTTP request over SSL in most implementations, nothing more, with the record usually in the payload body in a JSON message or similar.

>>LinuxB+Qn2
> This only works with devices that I can install my own CA key onto

Yes, that's why I don't use any commercial IoT devices. I have no actual control over them. Before I shed the few I did have, I kept them segregated on their own subnet so that at least their presence didn't have to impact anything else.

>>joseph+sq2
On my network, running my machines, these privacy mechanisms really are bad. Having them doesn't give me any privacy (the entire system is my private system to begin with -- who am I being private from?).

The only privacy they are affording is specifically to entities that I don't want operating on my machines to begin with, who are mostly interested in violating my privacy.

So this privacy mechanism, in this use case, really is bad because it reduces my privacy.

>>yubiox+Et2
Oh? I thought I answered it. What are you really asking for here? A tutorial?

If that's what you want, you need to give me time to put it together. I set this up a number of years ago and don't remember the details off the top of my head.

here's what I do remember: I use a squid proxy and replace all of the HTTPS certs on my other machines with my own. When HTTPS is negotiated, it's with my proxy, not the end destination.

Then the proxy does its proxy thing and sets up a normal HTTPS connection with the destination.

In my proxy, I have a script that is looking for the HTTP lookup exchanges detailed in RFC8484 (https://www.rfc-editor.org/rfc/rfc8484). When it finds them, it drops them on the floor. Everything else just gets passed through.

>>joseph+3E
For now. I would point out that the browser with the largest market share by a considerable margin is created and developed by a company that makes most of its money by selling ads, and that choosing your own DNS server with the capability of blocking those ads is a direct threat to that revenue model.

They will tell you it is to defeat censorship though and to improve network resilience, because they are deeply committed to having the image of being a champion of internet freedom.

>>denkmo+NE4
They don't need DoH to stop you from being able to block ads at the network level. For a while, a lot of sites have been proxying their ads through their own domains to do that.

And besides, every browser that supports DoH also lets you pick what server to use, and adblocking DoH servers exist.