Kicking DOH to touch

r00igev@@r

Honorary Master
Joined
Dec 14, 2009
Messages
15,646
Reaction score
14,160
Location
Draadloos Bantha poo doo in 4ways
If you using a DNS blocklist such as controld its not good to have DOH being accessed directly via IP.
Here is a script to stop that.

Code:
Had to use another platform as the script doesn't post here...
 
Last edited:
The problem is because it runs over https, a knowledgeable person could just setup their own DOH server on a rented VPS and completely bypass any blocking. DOH is the devil's work!
 
If you have a LAN with users that is not viable to visit every desktop. It needs to be more automated than that.

I'm specifically talking about a rogue user on your network trying to bypass your DNS filtering. My point is that all it takes to bypass any DNS filtering is someone with enough knowledge to setup their own DOH DNS server on a cheap VPS and then change the settings in their browser to use the DOH url. There absolutely nothing you can do to prevent this sort of bypassing short of blocking all access to tcp port 443, which obviously is not viable.
 
I'm specifically talking about a rogue user on your network trying to bypass your DNS filtering. My point is that all it takes to bypass any DNS filtering is someone with enough knowledge to setup their own DOH DNS server on a cheap VPS and then change the settings in their browser to use the DOH url. There absolutely nothing you can do to prevent this sort of bypassing short of blocking all access to tcp port 443, which obviously is not viable.
Use a dpi to pick him up by IP dissemination and then go moer him.:p
 
Dns filtering is really just security by obscurity. A very thin layer in what should be a multi layered defense.
 
Dns filtering is really just security by obscurity. A very thin layer in what should be a multi layered defense.

If you know what you're doing it's incredibly easy to bypass DNS filtering and incredibly difficult to block DOH traffic on your network. Relying on blocklists like the script above uses provides some relief, but a determined user can easily setup their own DOH server outside your network and make DOH requests to the server that would be indistinguishable from normal SSL web traffic to your router.
 
If you know what you're doing it's incredibly easy to bypass DNS filtering and incredibly difficult to block DOH traffic on your network. Relying on blocklists like the script above uses provides some relief, but a determined user can easily setup their own DOH server outside your network and make DOH requests to the server that would be indistinguishable from normal SSL web traffic to your router.
Correct. But in most cases it would be a breach of their contract and grounds for review.
I use a DPI agent based IP dissemination reporting to pickup variances and then fire up Wireshark via DumpCAP and then Bob's your aunty's mother (or whatever is that Aussie saying). What I usually do is slow them down to 64kb/s just to mess with them.
Students are tricky buggers but none of them go to the extend of setting up their own VPN or DOH server. (Not than I've encountered yet).
But its successful if you stop the significant majority of rubbish.
 
Dns filtering is really just security by obscurity. A very thin layer in what should be a multi layered defense.
Correct. But its better to have it than fokol. For a small business its the best option to implement policies.
The point can be made that any singular control is obscurity.
That being said, I put it to you that there would be less organizations ransomed if they used Quad9 instead of google.
 
Correct. But its better to have it than fokol. For a small business its the best option to implement policies.
The point can be made that any singular control is obscurity.
That being said, I put it to you that there would be less organizations ransomed if they used Quad9 instead of google.
Was about to say. Almost everything you implement is a singular control on it's own, but you do it for a specific reason.
 
Top
Sign up to the MyBroadband newsletter
X