DNS over HTTPS - any way to block?

chemlud · March 28, 2019, 03:08:12 PM

Hi!

Is there an option in suricata to block access to DNS servers via https (e.g. via a list of DNS servers)?

Any other options for blocking DNS over HTTPS below the level of deep package inspection of HTTPS with all its implications?

mimugmail · March 28, 2019, 04:45:07 PM

Blocking these hosts would be a good start:

https://dnscrypt.info/public-servers

chemlud · March 28, 2019, 04:51:19 PM

OK, let's do a though experiment, if we want to go down this road. If I were Google or Samsung, I would hardcode the DNS server in the browser, smart TV etc. for ads, "telemetry" and worse. And update the software from time to time, if necessary. Or?

Then blocking some DNS servers via a list of domain names is a first step, but (besides never being close to complete) how long will this list be up to date?

Sounds to me like a perfect target for suricata...

mimugmail · March 28, 2019, 05:02:53 PM

This would be something for the suricata mailing list.

chemlud · March 28, 2019, 05:09:46 PM

...way above my pay grade in interwebs stuff and didn't find it on their homepage. Would you post a link to this thread on this list? :-)

fabian · March 28, 2019, 05:44:44 PM

An IPS cannot block DoH as it should look like normal web traffic. Two things would work:

* Intercept with the proxy and block it when the format is detected via ICAP service (will have a 100% rate, but not work in many cases like 3rd party devices)
* Block the DoH resolver IPs via PF (blacklists tend to be incomplete)

chemlud · March 28, 2019, 06:28:40 PM

Many thanks for reply!

Could you enlighten my on

"Block the DoH resolver IPs via PF "? How would that work? :) An alias with host names and IPs to be blocked, as they provide DNS over HTTPS (let's start with 8.8.8.8, 9.9.9.9, 1.1.1.1 and the other usual suspects) and a floating block rule with this alias?

Black lists will always tend to be incomplete, but that's the same with malware C&C sites etc. But somebody would have to have "honeypots" (running IoT, Chrome browser, Firefox, Samsung TVs and alike) to collect the DNS requests for HTTPS DNS servers. That could be the suricata network, or? ;-)

mimugmail · March 28, 2019, 10:53:48 PM

You need a list, perhaps there is a managed one

chemlud · March 29, 2019, 08:42:56 AM

Is this only me who is interested in this topic? Large companies do their HTTPS proxy stuff and can filter on this, OK, but what about smaller companies interested in a decent control of network flows?

Are they completely lost or should they do HTTPS proxy as well?

mimugmail · March 29, 2019, 09:41:48 AM

Large companies pay thousands of $ for such products. If Open Source can achieve everything there would be no need for these :)

Have you tried Sensei plugin?

chemlud · March 29, 2019, 09:53:56 AM

...read about sensei the last days, but not there yet ;-)

Don't want to further increase complexity, if possible, so suricata was my first hope.

3kj2w · March 29, 2019, 01:01:24 PM

Super interesting topic, at this moment I am using:
- IP and DNS blocking from public lists for malware and ads.
- my DNS server, blocking request to other DNS servers from LAN.
- Suricata.

Unfortunately all this will not block DNS over HTTPS...

chemlud · March 29, 2019, 02:01:15 PM

Yeah, that's why my evil friends at Google and their friends like it that much. I have started some time ago to take away HTTP and HTTPS completely from some nets and have classical "browsing" only in dedicated subnets with machines reached via tunnels/VNC.

But if you want to control what your browser does, DNS over HTTPS is a real pain with no solution in sight, except playing little NSA and starting to open the whole HTTPS. With TLS 3.0 this will only be possible with this European "light" TSL 3.0 "standard". Doesn't look good at the moment...

3kj2w · April 10, 2019, 02:07:49 PM

I had to take some counter measure after Mozilla added DoH by default on browsers so I used that public resolvers list to block any trafic from LANs to IPs... and one of the offenders caught is a smart tv LG with latest firmware that already had blocked one of LG DNS used for advert: lgsmartad.com
this time tv is using: dns.google.com port: 443

Code Select

https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json

@chemlud
do you have any other resolver list or ideas ?

chemlud · April 10, 2019, 02:50:13 PM

hi 3k,

no, no specific list here yet. I disable DoH in Firefox manually in about:config, setting network.trr.mode to "0"

https://wiki.mozilla.org/Trusted_Recursive_Resolver

How did you translate the linked .json file to an Alias for opnsense? :-)

DNS over HTTPS - any way to block?

chemlud

March 28, 2019, 03:08:12 PM

mimugmail

March 28, 2019, 04:45:07 PM #1

chemlud

March 28, 2019, 04:51:19 PM #2 Last Edit: March 28, 2019, 05:11:21 PM by chemlud

mimugmail

March 28, 2019, 05:02:53 PM #3

chemlud

March 28, 2019, 05:09:46 PM #4

fabian

March 28, 2019, 05:44:44 PM #5

chemlud

March 28, 2019, 06:28:40 PM #6

mimugmail

March 28, 2019, 10:53:48 PM #7

chemlud

March 29, 2019, 08:42:56 AM #8

mimugmail

March 29, 2019, 09:41:48 AM #9

chemlud

March 29, 2019, 09:53:56 AM #10

3kj2w

March 29, 2019, 01:01:24 PM #11

chemlud

March 29, 2019, 02:01:15 PM #12

3kj2w

April 10, 2019, 02:07:49 PM #13 Last Edit: April 10, 2019, 02:11:52 PM by 3kj2w

chemlud

April 10, 2019, 02:50:13 PM #14