On Mon, Feb 17, 2020 at 1:19 PM Erik Lauritsen <eriklaurit...@yandex.com> wrote:
> Is a DNS over HTTPS recognizable somehow so that it can be fingerprinted
> and redirected or blocked using pf?
>
> I am thinking about the ability of PF to detect when requests are coming from
> a windows machine for example.
As Paul asked, what's the reason behind your question? Privacy? The
solution for you depends on you how much work you want to do and what
you have for a network, devices, and applications.
Blocking requests is a reasonable solution with some caveats. Remember
that you'd have to keep the configuration updated, though probably
infrequently. Applications and devices may use their own factory-set DNS
settings and not those specified by your DHCP server, so they may fail
if they can't connect to a server blocked in pf(4). This means that some
things you can't fully configure like IOT devices, TVs, game consoles,
or that one thing your boss likes may not work or may not work after a
future update. This isn't as much of a problem if the network can be
segmented so that the pf(4) rules apply to only certain devices, but it
does involve a little extra work.
Redirecting or relaying the request requires some form of deep packet
inspection since the requests are encrypted. This also requires a local
certificate authority that is trusted by the devices on the network,
which may not be possible for everything on it. Devices like those
listed above may fail. Again, this may not be an issue if you can
segment your network so that you're only relaying the requests from the
devices that you can install the local CA certificate on, but I'm not
sure if a program to relay DoH requests exists anyway.
As far as I'm aware, "enterprise policies" can be used to disable DoH in
some OSes and applications. All devices and applications have to support
them and be configured to use them to fully block them. Things that
don't support them will get through.
Again, you have to think about your situation and what you want to
accomplish. If the above shortcomings are okay with you, pick the one
that works best for your situation.
That said, this is what I do personally for my own network:
I don't knowingly use any devices, OSes, or applications on my network
that use DoH other than Firefox, and all my main devices--desktop,
laptop, phone, tablet--are known to obey the DNS settings from
dhcpd(8). My network is also segmented. My current "works well enough
for me" solution to cover Firefox without changing its settings on every
device is to add this to my unbound.conf(5):
# By default, disable DoH for Firefox.
#
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
local-zone: "use-application-dns.net" always_nxdomain
This means that all the things I really care about privacy-wise with
regards to DoH are fine. Be aware that Firefox apparently still uses DoH
if the setting is turned on in its preferences. For what it's worth, the
OpenBSD port of Firefox disables DoH by default.
Tim
