Gotcha :) On Wed, Oct 2, 2019 at 10:41 PM Vadim Pavlov <pvm_...@mail.ru> wrote:
> You didn’t get the sarcasm in the previous email :) > The issue is that you can not 100% block DoH w/o blocking HTTPs. You may > block well-known domains and IPs but there are many unknown and for > targeted attacks new servers can be created even behind legit (but > compromised) websites. > > Vadim > > On Oct 2, 2019, at 10:04, Blason R <blaso...@gmail.com> wrote: > > Block 443? Not even possible since most of the portals/web servers now a > days works on TCP/443 > > On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg <a...@clegg.com> wrote: > >> On 10/2/19 8:00 AM, Blason R wrote: >> > Hmm that is a good idea to block the DOH queries but what I understood >> > is blocking on perimeter level would be more appropriate. >> >> To nullify the abilities of DoH, you can block port TCP/443. >> >> That is pretty much guaranteed to keep DoH from working, but you may >> want to test this solution in the lab before you deploy widely. >> >> This method of controlling DoH may have side-effects. >> >> AlanC >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users