Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt

[Pfirepfox]

Hi All,

Is it possible to intercept all DOH requests to 1.1.1.1 and all other external DNS providers and then redirect them to the OPNSense DNSCrypt DOH DNS Server?

Currently i use Unbound for all unencrypt DNS traffic and it works wonderfully with DNS blacklists included. I am now concerned that DOH will be able to bypass my blacklist settings and the destinations to remain unlogged. I am currently running Squid to inspect both HTTP and HTTPS traffic but have not found a way to redirect just the DOH data to DNSCrypt and then to provide the answer to the DOH request.

Has anyone been able to acomplish a DOH redirect to a DNSCrypt service?

[chemlud]

We discussed that some months ago, you would need a (n always up-to-date) list of all relevant DOH servers. If Snort/Suricata don't provide them, I see no real chance to block DoH. And I think there are significant further obstacles ahead....

[hbc]

Why not block DOH at all and fall-back to standard DNS? IMHO DoH is a failure in design. Not the application has to resolve hostname but the OS / network stack.

Imaging a world, where every app has it's on DoH implementation. Four browsers, four DoH implementations, four possibilities for security issues due to wrong implementation and four companies that are tracking your dns traffic. It's a fairy tale that companies offer free dns services without having any benefits. 

https://github.com/bambenek/block-doh

[chemlud]

If you block HTTPS, your interwebs ist basically dead, or? ;-)

Who will maintain the list of IPs/hostnames to keep up with changes in DoH hosters?

[hbc]

Haha. Right, overlay protocols are a nightmare for firewalls. Without DPI no chance to differentiate. But at least I block the common server via DNS. There you have 65k ports and finally everybody uses the same one --> 443

Clients shall use the DHCP assigned company DNS and not foreign ones that cannot resolve internal hostnames. Ouch, what I just realized. DoH providers cannot only track surf behaviour of clients, they can even collect internal hostnames. I guess, they return NXDOMAIN and client falls back to internal DNS and resolves correct or it will fail. :-/

If I was a intelligence service, I would simply provide public DoH services, collect internal hostnames of companies to infiltrate and then after enough investigation, I return my phishing servers IP and collect login credentials. I'm sure it is not a big problem for them to get trusted certificates.

[Pfirepfox]

Is it not possible to utilise Squid to intercept the DOH requests? BEcause Squid is already intercepting all HTTPS traffic should it not be able to look for queries matching the DOH template of "https://dnsserver.example.net/dns-query" and then forward this to the DNSCrypt proxy port of 5353?

A regex to find queries that match "/dns-query" can be filtered and forwarded to the DNSCrypt proxy, or am i missing something?

[hbc]

@Pfirepfox: That just works with HTTPS-inspection, i.e. all clients needs the root ca of your proxy.

[Pfirepfox]

Currently all devices on the network use the CA of my proxy. They cannot do anything without it, all traffic is going through a port forward to Squid.