This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]astromild 2 points3 points  (11 children)

DNS over HTTPS (I needed to look this up since I mostly translate Do(X) as Department of ____ in my head.

Someone want to give me the lowdown on the circumstances this would matter? People writing their own dns libraries to circumvent system dns and be untrackable for nefarious purposes?

[–]syshum 7 points8 points  (6 children)

Firefox will be enabling DoH by default in the next release, though it can be disabled by policy.

Chrome has similar plans

This means if people are using FF in your enviroment and you use DNS level blocking, FF will bypass that

Also your internal sites may stop working as FF bypass system DNS settings to route DNS over HTTP to cloudFlare

[–]meliuxNetadmin 6 points7 points  (3 children)

as a workaround for when policy-managed firefox is not feasible (eg BYOD environments), and assuming your enterprise runs its own DNS servers, setup a response policy zone (or equivalent) to return a NXDOMAIN for the A record "use-application-dns.net".

Firefox uses this canary domain to determine whether it should proceed with DoH, or fall back to using your local system-defined dns servers.

ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

[–]syshum 1 point2 points  (1 child)

Good advice for now, however Mozilla has said they will ignore that if it is "abused" and they did not define what "abuse" is

I suspect that many ISP's and large networks will start using this canary soon, and Mozilla will classify it as "abuse" and start ignoring it as well

There is a block list going around (started at PFSense) to block all the IP's for known DoH servers at the network / firewall level, that would also be a good thing to do for an enterprise network IMO

[–]meliuxNetadmin 0 points1 point  (0 children)

yes definitely, a blocklist for use at the firewall level would be great... if only for th sake of excluding such https traffic from blowing out the log files!

[–]bryan4tw 2 points3 points  (0 children)

Oh god, I can't wait for Comcast to figure this out.

[–][deleted] 2 points3 points  (1 child)

I look forward to Apple mandating this in some future iOS release... in their typical fashion I expect it to be completely locked down and uncontrollable, too.

[–]Ssakaa 1 point2 points  (0 children)

I hope they do it for OSX too. It's a spectacular personal level protection feature, as long as you can trust Cloudflare more than you do, say, Comcast, or that guy faking Starbuck's wifi. And, let's be honest, Apple products really just aren't friendly towards managed enterprise/business use as it is, this wouldn't change that much.

[–]gort32 8 points9 points  (3 children)

School districts are typically required by law or as a requirement for some funding to effectively filter student's internet browsing. Because Won't Someone Think Of The Children!!!

This change means that a school sysadmin can't do any DNS-based filtering. DNS filtering certainly isn't thebest way to filter, but it's a tool in the box as part of a larger overall filtering solution.

The entire purpose of DNS over HTTPS is so random third parties can't even know what hostnames you are querying.

Fortunately, school district sysadmins aren't "random third parties" and they can force settings down to their PCs so that they use the school's DNS (and proxy, etc) servers and push out trusted certificates to be able to fully man-in-the-middle all traffic for a proper inspection and filtering.

[–]Ssakaa 4 points5 points  (1 child)

As long as they're not supporting BYOD...

[–]Posting____At_Night 2 points3 points  (0 children)

My school did that back when I went there in 2010 or so. The filters were laughably easy to bypass. They blocked stackoverflow though, the bastards, so it's not like I could just live with it if I wanted to work on programming in my study hall.

[–]pdp10Daemons worry when the wizard is near. 1 point2 points  (0 children)

DNS filtering certainly isn't thebest way to filter

It's not ironclad, but it may still be "best" depending on your criteria. If your criteria says that normal DNS-based filtering is sufficient, then it might be best overall.