Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
« previous
next »
Print
Pages: [
1
]
Author
Topic: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt (Read 5558 times)
Pfirepfox
Newbie
Posts: 42
Karma: 2
Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
on:
April 22, 2020, 11:55:37 am »
Hi All,
Is it possible to intercept all DOH requests to 1.1.1.1 and all other external DNS providers and then redirect them to the OPNSense DNSCrypt DOH DNS Server?
Currently i use Unbound for all unencrypt DNS traffic and it works wonderfully with DNS blacklists included. I am now concerned that DOH will be able to bypass my blacklist settings and the destinations to remain unlogged. I am currently running Squid to inspect both HTTP and HTTPS traffic but have not found a way to redirect just the DOH data to DNSCrypt and then to provide the answer to the DOH request.
Has anyone been able to acomplish a DOH redirect to a DNSCrypt service?
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #1 on:
April 22, 2020, 12:26:25 pm »
We discussed that some months ago, you would need a (n always up-to-date) list of all relevant DOH servers. If Snort/Suricata don't provide them, I see no real chance to block DoH. And I think there are significant further obstacles ahead....
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
hbc
Hero Member
Posts: 501
Karma: 47
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #2 on:
April 22, 2020, 01:10:19 pm »
Why not block DOH at all and fall-back to standard DNS? IMHO DoH is a failure in design. Not the application has to resolve hostname but the OS / network stack.
Imaging a world, where every app has it's on DoH implementation. Four browsers, four DoH implementations, four possibilities for security issues due to wrong implementation and four companies that are tracking your dns traffic. It's a fairy tale that companies offer free dns services without having any benefits.
https://github.com/bambenek/block-doh
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #3 on:
April 22, 2020, 02:23:14 pm »
If you block HTTPS, your interwebs ist basically dead, or? ;-)
Who will maintain the list of IPs/hostnames to keep up with changes in DoH hosters?
«
Last Edit: April 22, 2020, 02:26:15 pm by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
hbc
Hero Member
Posts: 501
Karma: 47
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #4 on:
April 22, 2020, 03:51:24 pm »
Haha. Right, overlay protocols are a nightmare for firewalls. Without DPI no chance to differentiate. But at least I block the common server via DNS. There you have 65k ports and finally everybody uses the same one --> 443
Clients shall use the DHCP assigned company DNS and not foreign ones that cannot resolve internal hostnames. Ouch, what I just realized. DoH providers cannot only track surf behaviour of clients, they can even collect internal hostnames. I guess, they return NXDOMAIN and client falls back to internal DNS and resolves correct or it will fail. :-/
If I was a intelligence service, I would simply provide public DoH services, collect internal hostnames of companies to infiltrate and then after enough investigation, I return my phishing servers IP and collect login credentials. I'm sure it is not a big problem for them to get trusted certificates.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Pfirepfox
Newbie
Posts: 42
Karma: 2
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #5 on:
April 23, 2020, 03:45:56 am »
Is it not possible to utilise Squid to intercept the DOH requests? BEcause Squid is already intercepting all HTTPS traffic should it not be able to look for queries matching the DOH template of "
https://dnsserver.example.net/dns-query
" and then forward this to the DNSCrypt proxy port of 5353?
A regex to find queries that match "/dns-query" can be filtered and forwarded to the DNSCrypt proxy, or am i missing something?
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #6 on:
April 23, 2020, 08:06:50 am »
@Pfirepfox: That just works with HTTPS-inspection, i.e. all clients needs the root ca of your proxy.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Pfirepfox
Newbie
Posts: 42
Karma: 2
Re: Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt
«
Reply #7 on:
May 15, 2020, 04:06:59 pm »
Currently all devices on the network use the CA of my proxy. They cannot do anything without it, all traffic is going through a port forward to Squid.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Intercept DOH Request to 1.1.1.1 etc... and forward them to DNSCrypt