Hi Erik, On Mon, Feb 17, 2020 at 06:07:59PM +0000, Erik Lauritsen wrote: | Hi, | | Is a DNS over HTTPS recognizable somehow so that it can be fingerprinted | and redirected or blocked using pf?
I haven't studied this in close detail, but since it's just a "normal" (albeit generally small) HTTPS request, I doubt they can be easily fingerprinted. But I wonder: what is your interest? My concern is not users using safe (encrypted) transports for their DNS lookups, but users unwittingly sending their data to certain large companies. To that end I've populated a table in pf with IP addresses from https://en.wikipedia.org/wiki/Public_recursive_name_server and simply have block out log from any to <openrecursor> to prevent anyone on the local network from accessing them. Some of them are more popular than others but it works well enough: # pfctl -vvt openrecursor -T show | awk '/\[/ {p+=$4; b+=$6} END {print p, b}' 14672 1100046 so 14672 packets / 1100046 bytes blocked to these open recursors. Note that the rule blocks both DoH as well as 'normal' DNS or DoT requests. | I am thinking about the ability of PF to detect when requests are coming from | a windows machine for example. OS fingerprinting looks at TCP characteristics; DoH requests are inside an encrypted transport and (probably) hard to discern from 'normal' HTTPS traffic. Cheers, Paul 'WEiRD' de Weerd -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/
