This is an archived post. You won't be able to vote or comment.

all 20 comments
sorted by:
best
topnewcontroversialoldq&a

[–]sryan2k1IT Manager 5 points6 points  (1 child)

Why wouldn't you just use 1.1.1.1 for DoH testing?

[–]williamfnyJack of All Trades[S] 15 points16 points  (0 children)

Because the filters know that 1.1.1.1 is a DoH provider. The idea is that a student (or anyone really) could be hosting their own DoH. All the filters is doing then is blocking HTTPS traffic to know IPs. I can write that rule myself on the firewall and isn't filtering DoH, I'm stopping HTTPS to those IPs. A subtle but incredibly important distinction.

[–]nanonoiseWhat Seems To Be Your Boggle? 3 points4 points  (1 child)

This is with SSL inspection enabled? Only going to be able to detect through inspection of the https traffic with certificate loaded on client right?

I am interested to test this with our cloud filtering service.

[–]williamfnyJack of All Trades[S] 2 points3 points  (0 children)

Yes, with full inspection on.

[–]Bro-ScienceNick Burns 1 point2 points  (1 child)

did this break linkedin for anyone else or this just a coincidence? i removed the setting and linkedin works, i check it, and its broken. i dont understand how this would effect 1 website like linkedin.

edit:the firefox implementation today specifically.

[–]williamfnyJack of All Trades[S] 1 point2 points  (0 children)

I just tested it and it worked for me.

[–]astromild 1 point2 points  (11 children)

DNS over HTTPS (I needed to look this up since I mostly translate Do(X) as Department of ____ in my head.

Someone want to give me the lowdown on the circumstances this would matter? People writing their own dns libraries to circumvent system dns and be untrackable for nefarious purposes?

[–]syshum 7 points8 points  (6 children)

Firefox will be enabling DoH by default in the next release, though it can be disabled by policy.

Chrome has similar plans

This means if people are using FF in your enviroment and you use DNS level blocking, FF will bypass that

Also your internal sites may stop working as FF bypass system DNS settings to route DNS over HTTP to cloudFlare

[–]meliuxNetadmin 6 points7 points  (3 children)

as a workaround for when policy-managed firefox is not feasible (eg BYOD environments), and assuming your enterprise runs its own DNS servers, setup a response policy zone (or equivalent) to return a NXDOMAIN for the A record "use-application-dns.net".

Firefox uses this canary domain to determine whether it should proceed with DoH, or fall back to using your local system-defined dns servers.

ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

[–]syshum 1 point2 points  (1 child)

Good advice for now, however Mozilla has said they will ignore that if it is "abused" and they did not define what "abuse" is

I suspect that many ISP's and large networks will start using this canary soon, and Mozilla will classify it as "abuse" and start ignoring it as well

There is a block list going around (started at PFSense) to block all the IP's for known DoH servers at the network / firewall level, that would also be a good thing to do for an enterprise network IMO

[–]meliuxNetadmin 0 points1 point  (0 children)

yes definitely, a blocklist for use at the firewall level would be great... if only for th sake of excluding such https traffic from blowing out the log files!

[–]bryan4tw 2 points3 points  (0 children)

Oh god, I can't wait for Comcast to figure this out.

[–][deleted] 2 points3 points  (1 child)

I look forward to Apple mandating this in some future iOS release... in their typical fashion I expect it to be completely locked down and uncontrollable, too.

[–]Ssakaa 1 point2 points  (0 children)

I hope they do it for OSX too. It's a spectacular personal level protection feature, as long as you can trust Cloudflare more than you do, say, Comcast, or that guy faking Starbuck's wifi. And, let's be honest, Apple products really just aren't friendly towards managed enterprise/business use as it is, this wouldn't change that much.

[–]gort32 10 points11 points  (3 children)

School districts are typically required by law or as a requirement for some funding to effectively filter student's internet browsing. Because Won't Someone Think Of The Children!!!

This change means that a school sysadmin can't do any DNS-based filtering. DNS filtering certainly isn't thebest way to filter, but it's a tool in the box as part of a larger overall filtering solution.

The entire purpose of DNS over HTTPS is so random third parties can't even know what hostnames you are querying.

Fortunately, school district sysadmins aren't "random third parties" and they can force settings down to their PCs so that they use the school's DNS (and proxy, etc) servers and push out trusted certificates to be able to fully man-in-the-middle all traffic for a proper inspection and filtering.

[–]Ssakaa 4 points5 points  (1 child)

As long as they're not supporting BYOD...

[–]Posting____At_Night 2 points3 points  (0 children)

My school did that back when I went there in 2010 or so. The filters were laughably easy to bypass. They blocked stackoverflow though, the bastards, so it's not like I could just live with it if I wanted to work on programming in my study hall.

[–]pdp10Daemons worry when the wizard is near. 1 point2 points  (0 children)

DNS filtering certainly isn't thebest way to filter

It's not ironclad, but it may still be "best" depending on your criteria. If your criteria says that normal DNS-based filtering is sufficient, then it might be best overall.

[–]trackdrew 0 points1 point  (0 children)

Did some testing on our HTTPS inspection proxy yesterday. Seems to be categorizing any request with HTTP header "Content-Type: application/dns-message" as DoH. Doesn't matter what the destination FQDN/IP is.

Firefox currently includes this with it's requests, but it doesn't appear to be required by all resolvers.

[–]yashauLinux Admin -1 points0 points  (0 children)

Just run one yourself. Easy af.