Feature request for decrypt DoH

Started by Zapad, November 22, 2023, 08:18:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 22, 2023, 08:18:29 AM
Hello,

is it possible to inspect only DoH servers from this list:

https://github.com/dibdot/DoH-IP-blocklists/blob/master/doh-ipv4.txt

I know i can enable global inspection but i want inspect and filter only DNS over https servers and not global all HTTPS traffik.

Best Regards Zapad.
November 22, 2023, 09:19:24 PM #1
What are you trying to accomplish?  If you're just concerned about DoH being used to bypass your local DNS then you can add the list to the firewall and block them.
November 23, 2023, 08:55:52 AM #2
I want filter DNS querys from some Android and Smart Devices apps that bypass my AdGuard DNS Server.
I can Block all in the List DoH's but then my VPN Service dont work, it use 1.1.1.1 Doh Servers.
If i allow 1.1.1.1 than other apps may pass dns.


I have Core i7 machine so Https inpection isnt Problem but this
is no Option because my exception List grown up so i have no more place to add next and next and next exception....
and research which app need again one exception.

Sorry for my bad English.
November 23, 2023, 09:07:38 AM #3
Even with inspecting this list and blocking recognized DOH traffic there will always be a whole lot of servers not in this list allowing to bypass your AGH.
Simply blocking this list allowing 1.1.1.1 for special devices only or changing DNS server would be easier for this unworkable plan  :o
However, I don't understand why your VPN service may not work... what is client, your sense or the device?
i am not an expert... just trying to help...
November 23, 2023, 09:56:45 AM #4
Cyberghost wont connect if i block this list.

Does OPNSense recognize which traffik ist DoH and which No? i think no.

Why i should filter all traffik if i only need to filter or intercept and forward DoH to my DNS Server?
November 23, 2023, 10:01:45 AM #5
You cannot redirect DOH requests to another resolver that's DOH design... and without inspecting no one can recognize if this is DOH or normal HTTPS traffic, this will only work using lists of known DOH servers, but as said, this is not reliable.
i am not an expert... just trying to help...
November 23, 2023, 05:05:05 PM #6
now i am applyed block Rule on Wan outbound DoH servers with 443 Port.
but i dont know is this the best solution for this problem with bypass dns filters.




November 23, 2023, 05:38:12 PM #7
Reject is more appropriate for this. besides, the rule should be on LAN in, to reject right where the traffic arrives at the sense.

Bypassing will always possible as long as servers not on the list willst be used.
Also remember IPv6 if applicable.
i am not an expert... just trying to help...
November 24, 2023, 08:30:40 AM #8
my Config is not to simply....
I have 1 interface untag as default Gateway for Network an 3 Vlan tag on the same interface for back routing

Switch 1 vlan only default Gateway and 3 Vlan für classified devices, the same on OPNsense.

I was tryed BlockRule on DGW -in but inspection does not Count because traffik goes out, i was tryed on Wan Outbound (ipv6/ipv6 List) and Inspection counts.

unlike last 2 updates i cannot see devices which access DGW i see only 192.168.1.1 >192.168.1.2 and 192.168.1.2>192.168.1.1
Example ip from opnsense and switch gw.
Earlier i was able to see which Client connect which ip. in Dashboard monitoring.
Print
Go Up Pages1
User actions