Gotcha :) On Wed, Oct 2, 2019 at 10:41 PM Vadim Pavlov <[email protected]> wrote:
> You didn’t get the sarcasm in the previous email :) > The issue is that you can not 100% block DoH w/o blocking HTTPs. You may > block well-known domains and IPs but there are many unknown and for > targeted attacks new servers can be created even behind legit (but > compromised) websites. > > Vadim > > On Oct 2, 2019, at 10:04, Blason R <[email protected]> wrote: > > Block 443? Not even possible since most of the portals/web servers now a > days works on TCP/443 > > On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg <[email protected]> wrote: > >> On 10/2/19 8:00 AM, Blason R wrote: >> > Hmm that is a good idea to block the DOH queries but what I understood >> > is blocking on perimeter level would be more appropriate. >> >> To nullify the abilities of DoH, you can block port TCP/443. >> >> That is pretty much guaranteed to keep DoH from working, but you may >> want to test this solution in the lab before you deploy widely. >> >> This method of controlling DoH may have side-effects. >> >> AlanC >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> [email protected] >> https://lists.isc.org/mailman/listinfo/bind-users >> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users > > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
