Ted Hardie wrote on 2019-03-11 10:02:
...
no other off-network RDNS is reachable by malware which somehow gets
into my network,
I interpret this to mean that you have blocked DNS over TLS's well-known
port (853), so that Quad 9 and other services offering it are not
accessible. Is that correct, or do you mean something more extensive?
that's it. because before DoH, it was possible to outlaw off-net 53 and
853 except when coming from my local RDNS servers. because unlike DoH,
those protocols are not designed to prevent on-path interference.
As several other folks have pointed out, roll-your-own resolution is in
some pretty widely used applications, but I'm not aware of any
comprehensive list or any way to block that short of removing the
applications once found. Is there a technique here I'm not aware of?
famously, my chromecast ultra would not let itself out of setup mode
until it was allowed to reach 8.8.8.8 on UDP/53.
https://www.businessinsider.com/paul-vixie-blasts-google-chromecast-2019-2
my solution was to operate a server on 8.8.8.8 (and 8.8.4.4, and
9.9.9.9, and 1.1.1.1) locally.
DoH will moot that approach. (by design.) i'm studying my alternatives,
since i also use 'dnstap' to detect behavioural abnormalities, and DNS
RPZ for parental (and botnet, and IoT) controls. it won't be pretty and
it won't be cheap. (by design.)
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
