Blocking QUIC

[RamSense]

I just read some articles about QUIC and how this can break your dns / ad blocking etc.

So I think it would be wise to have QUIC blocked on opnsense. What is the best way to do this?
And how to test if your QUIC block is working?

I have, by reading about it online, made the below firewall rule. Is this the correct way?:

Firewall - rules - LAN:

action: block
interface: LAN
Direction: out
TCP/IP version: IPv4+IPv6
Protocal: UDP
Source: LAN net
Source Port Range: HTTPS (443)
Destination: WAN net
Destination Port range: Any

Thanks in advance for your best practices.

[yeraycito]

I have Adguard installed on Opnsense and I am using Nextdns with quick and all dns queries and locks go through Adguard or Nextdns. Nextdns performance is faster than Cloudflare.

[RamSense]

Thnx yeraycito for your input.
I have also Adguard Home running, but instead of NextDNS I use Unbound on Opnsense for all the dns (no upstream servers).

wondering what others are doing

[Patrick M. Hausen]

AdGuard Home and BIND since I need secondary zones.

Hmm ... we have "just do it day" this Friday. Maybe get back to that DHCP - BIND integration thing again ...

[RamSense]

Always fun to test something new/different.
Maybe I will have a Friday just do it Bind day 
Does it handle quic or how is bind related to block / allow quic?

[Patrick M. Hausen]

BIND does not block QUIC - how could it? You asked what others are doing compared to AdGuard Home and Unbound. Why would one block QUIC? It's essentially HTTP "ng", so it's useful, IMHO.

For your block rule you need destination port 443, not source port. And destination any. "WAN net" is not the Internet but only the addresses directly connected to your WAN interface.

Interface: LAN
Direction: in
Protocol: UDP
Source: LAN net or any
Source Port: any
Destination: any
Destination Port: 443
Action: block

[RamSense]

Pmhausen thanks again for your help and reply.
Since I’m no expert i can very well miss something.
I stumbled in my learning process with opnsense and firewalls on Quic.

This is some of what I found:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC
Palo Alto Networks recommends creating a security policy in the firewall to block the QUIC application. With the QUIC traffic getting blocked by the Firewall, the Chrome browser will fall back to using traditional TLS/SSL. Note that this will not cause the user to lose any functionality on their browser. Firewall gains better visibility and control of Google applications with or without the SSL decryption enabled.

https://help.zscaler.com/zia/managing-quic-protocol
Zscaler best practice is to block QUIC. When it's blocked, QUIC has a failsafe to fall back to TCP. This enables SSL inspection without negatively impacting user experience.

https://www.networkstraining.com/what-is-quic-protocol/Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3rd generation firewalls that provide application control and visibility have a hard time now to control and restrict Google applications (such as Gmail, Youtube etc). There are some firewall vendors that suggest to block QUIC in order to gain back the required visibility and control to Google apps.

I’m trying to get the opnsense bypassing as low as possible, but also keep it as user friendly as posssible…

So is quic safe to allow or should it be blocked as described above?

And in regards to you using Bind on opnsense, do you only run Bind or is unbound also running? I think I will have a bind exploring weekend ahead 

[Patrick M. Hausen]

Do you break and inspect TLS? If not there is no difference whether its HTTPS or QUIC.
The documents you cited refer explicitly to enterprise environments with TLS inspection. Which is a bad thing, anyway, IMHO.

I run only BIND, I don't like Unbound.

[RamSense]

No TLS inspection here. To much hassle and work with trusted certificate etc.
So I dropped that approach.
And somewhat good to know quic falls in the same sort of category as https.
And also good to hear nobody else here is “afraid” of quic.
As long as not everything is going encrypted and at some point being able to bypass opnsense firewall efforts

I will be testing Bind this weekend.

Thanks again.