zlacker

> I have yet to come across one utilized in the wild

How would you be able to tell?

replies(1): >>LinuxB+K2

>>JohnFe+(OP)
I confine everything on my network and if anything is able to resolve any one of the sanctioned countries or if the domains I override resolve to their correct address I will see it. I can only think of one opaque device I have that could even try to do that but I know it doesn't because I have to unblock .cn to get vehicle updates for it. I should add that I do not let random IoT's onto my network and that vehicle diagnostic tool from China is only on my network about once per year for a few minutes. I should also add that I have fascist firewall rules for anything I do not trust and all new SYN packets are logged. DoT and DoH use TCP.

replies(1): >>JohnFe+uO1

>>LinuxB+K2
You should consider filtering your HTTPS streams.

replies(1): >>LinuxB+AS1

>>JohnFe+uO1
Funny you should mention that. I have a few Squid-SSL-Bump proxies that I use for a few devices. For several years I even used that to visit HN and to my surprise was rarely rate limited or blocked when accessing from a VPS. With Squid I can also make decisions on content types, file sizes and more. There are only a handful of sites it doesn't work with because they for whatever reason are still using public key pinning. A few google sub-domains, eff.org, paypal but interestingly no banks.

This only works with devices that I can install my own CA key onto. I have not figured out how to do that with the vehicle diagnostic tool.

replies(1): >>JohnFe+hC2

>>LinuxB+AS1
> This only works with devices that I can install my own CA key onto

Yes, that's why I don't use any commercial IoT devices. I have no actual control over them. Before I shed the few I did have, I kept them segregated on their own subnet so that at least their presence didn't have to impact anything else.