Reply to post: Re: not going to work

Microsoft joins Google and Mozilla in adopting DNS over HTTPS data security protocol

Anonymous Coward
Anonymous Coward

Re: not going to work

I must admit I haven't (yet) delved too deeply into DoT/DoH, but my tactics so far are based upon:

"Because DoH can be used to bypass Umbrella, Umbrella includes known DoH servers in the “Proxy / Anonymizer” content category. This mechanism is effective, but has limitations:

It cannot block brand new DoH providers that are unknown to us

It cannot block DoH which is used via IP address

For the first issue, we do our best to watch new DoH providers, and customers can further improve coverage by also blocking Newly Seen Domains.

For the latter limitation, there are limited scenarios where DoH is accessed directly by IP address. Firefox with Cloudflare is the most well-known example."

The latter point could potentially be an issue, but I don't know how many providers currently operate this way. My assumption (which could be incorrect) is there will be a standard DNS request to look up the hostname associated with the DoH provider (which can be blocked). If that lookup were to succeed (or a connection be made by IP) then clearly DPI would be the only means to prevent that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020