Hello *, for detecting DNS over HTTPS traffic without interfering with the connection, perhaps these articles might be helpful: - https://dshield.org/forums/diary/Is+it+Possible+to+Identify+DNS+over+HTTPs+Without+Decrypting+TLS/25616 - https://dshield.org/forums/diary/More+DNS+over+HTTPS+Become+One+With+the+Packet+Be+the+Query+See+the+Query/25628
Thanks, and best regards, Peter Müller > Hi Erik, > > On Mon, Feb 17, 2020 at 06:07:59PM +0000, Erik Lauritsen wrote: > | Hi, > | > | Is a DNS over HTTPS recognizable somehow so that it can be fingerprinted > | and redirected or blocked using pf? > > I haven't studied this in close detail, but since it's just a "normal" > (albeit generally small) HTTPS request, I doubt they can be easily > fingerprinted. But I wonder: what is your interest? > > My concern is not users using safe (encrypted) transports for their > DNS lookups, but users unwittingly sending their data to certain large > companies. To that end I've populated a table in pf with IP addresses > from https://en.wikipedia.org/wiki/Public_recursive_name_server and > simply have > > block out log from any to <openrecursor> > > to prevent anyone on the local network from accessing them. Some of > them are more popular than others but it works well enough: > > # pfctl -vvt openrecursor -T show | awk '/\[/ {p+=$4; b+=$6} END {print p, b}' > 14672 1100046 > > so 14672 packets / 1100046 bytes blocked to these open recursors. > Note that the rule blocks both DoH as well as 'normal' DNS or DoT > requests. > > | I am thinking about the ability of PF to detect when requests are coming > from > | a windows machine for example. > > OS fingerprinting looks at TCP characteristics; DoH requests are > inside an encrypted transport and (probably) hard to discern from > 'normal' HTTPS traffic. > > Cheers, > > Paul 'WEiRD' de Weerd >