Results 1 to 8 of 8
  1. #1
    Master Untangler
    Join Date
    Dec 2008
    Location
    Greater Omaha Area
    Posts
    253

    Default Blocking DoH (DNS over HTTPs) & DoT (DNS over TLS)?

    Maybe I'll get some flack for this but the whole point of using Untangle is to manage internet connectivity which includes managing what is accessed over the company internet using company equipment. So with the introduction of DoH and DoT coming rapidly with us already starting to see a lot of traffic to chrome.cloduflare-dns.com, etc. we are now needing to block this traffic so all DNS goes through Untangle and not bypassing Untangle. I know that DoT should be easy with simply blocking Port 853 but anyone got some good ideas or references on doing something similar with DoH?

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    flack? I have been doing some hand-wringing for a while around here.
    https://forums.untangle.com/off-topic/43131-dns-hijacking.html

    Things have seemed to go more sanely than I expected since last fall. I want to continue the discussion, but not tonight.

    I can tell you for a quick fix, that the Web Filter App. categorizes doh.opendns.com as "Proxy Avoidance and Anonymizers".
    You might need to do some more research.

    Another tip is that there will always be a FQDN associated with any DoH service (due to the HTTPS part).
    There is a list of those somewhere on the Interwebs.
    (It is also ironic that you need normal plain-vanilla DNS to resolve that).
    Last edited by Jim.Alles; 08-26-2020 at 08:31 PM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    I've found Threat Prevention has done a decent job of catching DoH. I haven't mucked with DoT much yet.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Dec 2008
    Location
    Greater Omaha Area
    Posts
    253

    Default

    Haven't looked at that yet, I see it's not a Free app but I don't see it listed under the Individual Apps to purchase - is it only included with the Complete Package?

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    Yes, for now... and I'm not entirely sure why.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Aug 2020
    Posts
    5

    Default

    Quote Originally Posted by sky-knight View Post
    I've found Threat Prevention has done a decent job of catching DoH. I haven't mucked with DoT much yet.
    I can confirm that it definitely catches Google DoH. I only recently installed Untangle so I am watching my reporting with more diligence than I likely will be doing in another month. I was shocked to see over 400 blocked events in the Threat Prevent report. Upon investigation, it turned out to be the Chrome browser on my desktop reaching out to dns.google.com via HTTPS. I had no idea how that even got enabled on my browser as I was under the impression it was "opt-in" on Chrome.

    I was impressed that the default install of Threat Prevention caught that. I immediately went to the Untangle store to license the feature (I am still in the eval license period) and was disappointed to see it only comes bundled with the Complete version. No standalone license available.

    Fun stuff.

    David

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    It's containing my Firefox's insistence of using Cloudflare as well. Both browsers use DoH by default now.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Didn't know it would do that. Neat.

    But alas I'm just a Luddite home user and can't have Threat Prevention.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2