zlacker

[parent] [thread] 6 comments
1. JohnFe+(OP)[view] [source] 2023-02-24 00:11:40
> killing DoH conclusively on your home network is more difficult than you've made it seem

True.

I had to install a system to MITM all my https traffic in order to block DoH requests.

replies(2): >>dngray+HC >>yubiox+tD1
2. dngray+HC[view] [source] 2023-02-24 05:27:20
>>JohnFe+(OP)
> killing DoH conclusively on your home network is more difficult than you've made it seem

It's actually not too difficult if your users use Firefox. You can use enterprise policies https://support.mozilla.org/en-US/products/firefox-enterpris...

   /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
    * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
    * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
    * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
    * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
    * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
    * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
      // user_pref("network.trr.mode", 5);
It can be more of an issue if you have a lot of "smart" products or IoT products that essentially operate as black boxes on your network though. Would just recommend not doing that, if you have devices on your network that you don't control, someone else does.
replies(1): >>JohnFe+IQ1
3. yubiox+tD1[view] [source] 2023-02-24 14:55:37
>>JohnFe+(OP)
Can you give any more detail on how you did this? Is squid the proxy? How does it know which traffic is doh? What do you do with those requests?
replies(1): >>JohnFe+uQ1
◧◩
4. JohnFe+uQ1[view] [source] [discussion] 2023-02-24 16:02:56
>>yubiox+tD1
Yes, I've installed my own cert to negotiate HTTPS connections, then proxy through software to check the contents being sent.

Basically the same process that some companies use for similar purposes.

replies(1): >>yubiox+bZ1
◧◩
5. JohnFe+IQ1[view] [source] [discussion] 2023-02-24 16:03:36
>>dngray+HC
That only affects things that use the browser's facilities to engage in DoH. A web page could decide not to do that, and manufacture their own lookups using JS, for instance.
◧◩◪
6. yubiox+bZ1[view] [source] [discussion] 2023-02-24 16:37:44
>>JohnFe+uQ1
This response is just handwaving and avoids the question. Why even bother?
replies(1): >>JohnFe+5E2
◧◩◪◨
7. JohnFe+5E2[view] [source] [discussion] 2023-02-24 19:36:48
>>yubiox+bZ1
Oh? I thought I answered it. What are you really asking for here? A tutorial?

If that's what you want, you need to give me time to put it together. I set this up a number of years ago and don't remember the details off the top of my head.

here's what I do remember: I use a squid proxy and replace all of the HTTPS certs on my other machines with my own. When HTTPS is negotiated, it's with my proxy, not the end destination.

Then the proxy does its proxy thing and sets up a normal HTTPS connection with the destination.

In my proxy, I have a script that is looking for the HTTP lookup exchanges detailed in RFC8484 (https://www.rfc-editor.org/rfc/rfc8484). When it finds them, it drops them on the floor. Everything else just gets passed through.

[go to top]