[Cryptography] Products that prevent DoH?
Jan Schaumann
jschauma at netmeister.org
Wed Mar 11 18:23:16 EDT 2020
Udhay Shankar N <udhay at pobox.com> wrote:
> I came across this transcript of a podcast where a marketing person talks
> of a product (which she is, obviously, selling) is claimed to prevent the
> use of DNS over HTTPS.
> How would this work?
To the best of my understanding, the only way to
reliably prevent the use of DoH is by controlling the
client settings on the endpoint in question:
- NXDOMAIN'ing the canary domain only applies in the
case of default DoH opt-in, not in the case of
explicit opt-in[1]
- blocking well-known public DNS resolvers that offer
DoH (as the verbiage "we have certain feeds"
suggests) only works if the client falls back to the
default resolver; at least Firefox can be configured
to fail hard if DoH is not available (network.trr.mode=3
combined with a manual DoH host set; the second part
is necessary, as otherwise Firefox will attempt to
resolve the IP address of the default DoH server via
the standard resolver).
- DoH by design is HTTPS traffic, so a user can set up
their _own_ DoH resolver somewhere, and the solution
in question wouldn't have it in their feeds (and
blocking TCP to port 443 in e.g. AWS is not a
broadly workable solution)
The only other method besides controlling the client
settings by which this could conceivably work is if
they control the endpoint, require installation of a
trusted root cert, MitM all outgoing HTTPS
connections and then block DoH traffic via packet
inspection, but that does not match the "we have
certain feeds" verbiage.
-Jan
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1614751
More information about the cryptography
mailing list