Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Feature request for decrypt DoH
« previous
next »
Print
Pages: [
1
]
Author
Topic: Feature request for decrypt DoH (Read 1287 times)
Zapad
Full Member
Posts: 108
Karma: 3
Feature request for decrypt DoH
«
on:
November 22, 2023, 08:18:29 am »
Hello,
is it possible to inspect only DoH servers from this list:
https://github.com/dibdot/DoH-IP-blocklists/blob/master/doh-ipv4.txt
I know i can enable global inspection but i want inspect and filter only DNS over https servers and not global all HTTPS traffik.
Best Regards Zapad.
Logged
CJ
Hero Member
Posts: 832
Karma: 30
Re: Feature request for decrypt DoH
«
Reply #1 on:
November 22, 2023, 09:19:24 pm »
What are you trying to accomplish? If you're just concerned about DoH being used to bypass your local DNS then you can add the list to the firewall and block them.
Logged
Have Answer, Will Blog
Zapad
Full Member
Posts: 108
Karma: 3
Re: Feature request for decrypt DoH
«
Reply #2 on:
November 23, 2023, 08:55:52 am »
I want filter DNS querys from some Android and Smart Devices apps that bypass my AdGuard DNS Server.
I can Block all in the List DoH's but then my VPN Service dont work, it use 1.1.1.1 Doh Servers.
If i allow 1.1.1.1 than other apps may pass dns.
I have Core i7 machine so Https inpection isnt Problem but this
is no Option because my exception List grown up so i have no more place to add next and next and next exception....
and research which app need again one exception.
Sorry for my bad English.
Logged
tiermutter
Hero Member
Posts: 1097
Karma: 61
Re: Feature request for decrypt DoH
«
Reply #3 on:
November 23, 2023, 09:07:38 am »
Even with inspecting this list and blocking recognized DOH traffic there will always be a whole lot of servers not in this list allowing to bypass your AGH.
Simply blocking this list allowing 1.1.1.1 for special devices only or changing DNS server would be easier for this unworkable plan
However, I don't understand why your VPN service may not work... what is client, your sense or the device?
Logged
i am not an expert... just trying to help...
Zapad
Full Member
Posts: 108
Karma: 3
Re: Feature request for decrypt DoH
«
Reply #4 on:
November 23, 2023, 09:56:45 am »
Cyberghost wont connect if i block this list.
Does OPNSense recognize which traffik ist DoH and which No? i think no.
Why i should filter all traffik if i only need to filter or intercept and forward DoH to my DNS Server?
Logged
tiermutter
Hero Member
Posts: 1097
Karma: 61
Re: Feature request for decrypt DoH
«
Reply #5 on:
November 23, 2023, 10:01:45 am »
You cannot redirect DOH requests to another resolver that's DOH design... and without inspecting no one can recognize if this is DOH or normal HTTPS traffic, this will only work using lists of known DOH servers, but as said, this is not reliable.
Logged
i am not an expert... just trying to help...
Zapad
Full Member
Posts: 108
Karma: 3
Re: Feature request for decrypt DoH
«
Reply #6 on:
November 23, 2023, 05:05:05 pm »
now i am applyed block Rule on Wan outbound DoH servers with 443 Port.
but i dont know is this the best solution for this problem with bypass dns filters.
Logged
tiermutter
Hero Member
Posts: 1097
Karma: 61
Re: Feature request for decrypt DoH
«
Reply #7 on:
November 23, 2023, 05:38:12 pm »
Reject is more appropriate for this. besides, the rule should be on LAN in, to reject right where the traffic arrives at the sense.
Bypassing will always possible as long as servers not on the list willst be used.
Also remember IPv6 if applicable.
Logged
i am not an expert... just trying to help...
Zapad
Full Member
Posts: 108
Karma: 3
Re: Feature request for decrypt DoH
«
Reply #8 on:
November 24, 2023, 08:30:40 am »
my Config is not to simply....
I have 1 interface untag as default Gateway for Network an 3 Vlan tag on the same interface for back routing
Switch 1 vlan only default Gateway and 3 Vlan für classified devices, the same on OPNsense.
I was tryed BlockRule on DGW -in but inspection does not Count because traffik goes out, i was tryed on Wan Outbound (ipv6/ipv6 List) and Inspection counts.
unlike last 2 updates i cannot see devices which access DGW i see only 192.168.1.1 >192.168.1.2 and 192.168.1.2>192.168.1.1
Example ip from opnsense and switch gw.
Earlier i was able to see which Client connect which ip. in Dashboard monitoring.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Feature request for decrypt DoH