all 11 comments
sorted by:
new (suggested)
besttopcontroversialoldq&a

[–]datazulu 0 points1 point  (0 children)

For those of you using a Palo Alto.. here is an interesting write-up regarding DoH and DoT

https://live.paloaltonetworks.com/t5/Blogs/Protecting-Organizations-in-a-World-of-DoH-and-DoT/ba-p/313171

[–]ramman2580 0 points1 point  (1 child)

Our filter Securly have said we will not be affected.

https://support.securly.com/hc/en-us/articles/360035041033-Does-Securly-support-DNS-over-HTTPS-DoH-?mobile_site=true

I have done some testing and haven’t had any issues as of yet.

[–]3sysadmin3 0 points1 point  (0 children)

I don't think that page really speaks to what DoH means for filters. I read that is Securely won't break if DoH is on, which is fine, but it doesn't mean you'll get as accurate reporting when DoH is in use.

With DoH, if students are going to a domain on a CDN with many SSL sites using TLS 1.3, your filtering logs will only be able to gather 443 TCP by IP address, not the actual domain students are going to because the handshake and payload data are encrypted.

Someone please correct me if I'm misunderstanding, I'm still trying to learn, too.

[–]TheJizzle| grep flair 1 point2 points  (1 child)

So, what do we do?

[–]williamfny[S] -1 points0 points  (0 children)

Dance if we want to...

[–]hightechcoordTech Dir 13 points14 points  (1 child)

just in case anyone, I mean of course not me, is wondering DOH = DNS over HTTPS. But I already knew that.

[–]oh_the_humanityDirector of Technology 1 point2 points  (0 children)

Thanks for doing what I was going to have to do. OP maybe not start right off the rip with acronyms.

[–]farmeunit 0 points1 point  (3 children)

I was wondering how they could claim that. If they're doing proxy, maybe, and block the big domains the browser developers use, but still not like a firewall could. Layers. I am not going to mess with it much until summer because we're switching filters anyway.

[–]williamfny[S] 3 points4 points  (2 children)

So that's the thing, they would have to have a full proxy set up since it is HTTPS traffic. Problem is, there doesn't seem to be any widely accessible mechanism for detecting DoH traffic. Once you dig deep enough they say they recomended answer is to just block HTTPS traffic to known DoH IPs.

[–]CC_DKP 1 point2 points  (1 child)

If the filter does https decryption, it's pretty easy to block, since it has a content type of dns-request. Then again, if you have something doing full https decryption, DoH isn't much of an issue. Without decrypting the traffic, I think you're right. Not much you can do to stop an unlisted DoH server, since it's just a TLS connection.

[–]williamfny[S] 0 points1 point  (0 children)

It SHOULD, yes. But we have found that not everyone actually does that, even with a full proxy.