English Forums > Zenarmor (Sensei)
DoH blocking
athurdent:
Hi @mb,
it would really cool if we had a switch to at least partly block DoH, as good as possible, to gain more control over DNS.
I know, best blocking capabilities can probably only be achieved using SSL inspection by decrypting, analyzing and re-encrypting SSL (seems to be on the roadmap). This technique tends to break apps that come with their own hardcoded CA info though, plus SSL was made to not be decrypted, so always a possibility something goes sideways.
A nice DoH block "lite" would probably be denying access to the growing list of DoH IPs, plus blocking DNS record type 65 (HTTPS). https://support.umbrella.com/hc/en-us/articles/360049713451-DNS-Resolver-Selection-in-iOS-14-and-macOS-11 is a nice read on the topic, did not know iOS 14 implemented DoH. It seems to be possible for apps to use their own DNS now, which is probably something not everybody will like. I don't. ;)
What does the community think?
mb:
Hi @athurdent,
You should be able to control DoH via "DNS over HTTPS" application under "Network Management" application category.
Can you try that?
athurdent:
Hi @mb,
thanks, missed that category.
I have downloaded the DNSCloak app and tried with an iPhone, mixed results.
For a test, I filtered for DoH-only servers and tried the following 3 from the list
att - not recognized/blocked
cisco-doh - blocked
dnshome-doh - not recognized/blocked
Thank you for looking into this!
mb:
Hi Athurdent,
Our pleasure. Can you create a PR from the Sensei UI? Let us add those to our app database.
athurdent:
--- Quote from: mb on September 29, 2020, 03:01:31 pm ---Hi Athurdent,
Our pleasure. Can you create a PR from the Sensei UI? Let us add those to our app database.
--- End quote ---
Done, thank you for your support!
Navigation
[0] Message Index
[#] Next page
Go to full version