Ted Lemon wrote on 2019-02-12 14:20:
...
So you’re saying that DoH traffic that’s not going to well-known IP
addresses is easier to detect than DoH traffic going to well-known IP
addresses?
yes, that's what i've been trying to say. if CF only publishes DoH
content on 1.0.0.0/23, then i can just block that, and leave their main
HTTPS server addresses alone. same for google, opendns/umbrella/cisco,
ibm, and the others. one of my networks only allows TCP/443 to
explicitly enumerated destinations... one of which is the main service
address for google. i need that to never contain DoH traffic, please.
note, i prefer to block UDP/53, TCP/53, and TCP/853, because then my
risks are lower, and my costs for managing those risks also lower. and
that's why DoT is a better _engineered_ solution than DoH. i remember a
time when the IAB would have said "no" to an internet standard which
mandated deliberate loss of control by network operators. hey you kids,
get offa my lawn, and so on.
--
P Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
