zlacker

[parent] [thread] 5 comments
1. LinuxB+(OP)[view] [source] 2023-02-23 22:59:30
Blocking DoH is largely whack-a-mole

Maybe this is so but I have yet to see it. AFAIK all the DoT/DoH are on known dedicated IP addresses. I know they don't have to be. They could be on generic Akamai/CF/BunnyCDN/etc... end points but I have yet to come across one utilized in the wild. Have you found any? What are their IP addresses? I would like to add them to my DNS timing/monitoring scripts.

I null route about 24 DoT/DoH IP addresses and my one smartphone seemed to figure out automagically that my router was serving up DoT on 853. I can tell if something is bypassing Unbound because there are things I know should not resolve correctly.

replies(1): >>JohnFe+vd
2. JohnFe+vd[view] [source] 2023-02-24 00:17:00
>>LinuxB+(OP)
> I have yet to come across one utilized in the wild

How would you be able to tell?

replies(1): >>LinuxB+fg
◧◩
3. LinuxB+fg[view] [source] [discussion] 2023-02-24 00:34:53
>>JohnFe+vd
I confine everything on my network and if anything is able to resolve any one of the sanctioned countries or if the domains I override resolve to their correct address I will see it. I can only think of one opaque device I have that could even try to do that but I know it doesn't because I have to unblock .cn to get vehicle updates for it. I should add that I do not let random IoT's onto my network and that vehicle diagnostic tool from China is only on my network about once per year for a few minutes. I should also add that I have fascist firewall rules for anything I do not trust and all new SYN packets are logged. DoT and DoH use TCP.
replies(1): >>JohnFe+Z12
◧◩◪
4. JohnFe+Z12[view] [source] [discussion] 2023-02-24 15:58:05
>>LinuxB+fg
You should consider filtering your HTTPS streams.
replies(1): >>LinuxB+562
◧◩◪◨
5. LinuxB+562[view] [source] [discussion] 2023-02-24 16:14:49
>>JohnFe+Z12
Funny you should mention that. I have a few Squid-SSL-Bump proxies that I use for a few devices. For several years I even used that to visit HN and to my surprise was rarely rate limited or blocked when accessing from a VPS. With Squid I can also make decisions on content types, file sizes and more. There are only a handful of sites it doesn't work with because they for whatever reason are still using public key pinning. A few google sub-domains, eff.org, paypal but interestingly no banks.

This only works with devices that I can install my own CA key onto. I have not figured out how to do that with the vehicle diagnostic tool.

replies(1): >>JohnFe+MP2
◧◩◪◨⬒
6. JohnFe+MP2[view] [source] [discussion] 2023-02-24 19:31:04
>>LinuxB+562
> This only works with devices that I can install my own CA key onto

Yes, that's why I don't use any commercial IoT devices. I have no actual control over them. Before I shed the few I did have, I kept them segregated on their own subnet so that at least their presence didn't have to impact anything else.

[go to top]