Hi Jonathan, the problem is: can you even see the HTTP being exchanged? This requires TLS interception.
If you can, then it's relatively easy: you can to filter on (untested) acl doh_post_ct Content-Type -i application/dns-message acl doh_path_rfc8484 urlpath_regex ^/dns-query acl doh_query_rfc8484 urlpath_regex dns= acl doh_path_json urlpath_regex ^/resolve http_access deny doh_post_ct doh_path_json http_access deny doh_path_rfc8484 doh_query_rfc8484 If, however, you cannot inspect the HTTP payload in TLS, your only option is to blacklist all DOH providers by DNS name On Sat, Jan 11, 2025 at 1:32 AM <jonathanlee...@gmail.com> wrote: > acl deny_rep_mime_doh rep_mime_type application/dns-message > > for example would this work? I could get rid of a huge list and save > memory if this solves my wackamole problem. I do not see anything on the > Squid website but in theory that could resolve it right? > > -----Original Message----- > From: jonathanlee...@gmail.com <jonathanlee...@gmail.com> > Sent: Friday, January 10, 2025 2:54 PM > To: 'squid-users' <squid-users@lists.squid-cache.org> > Subject: RE: Squid url redirector and DoH > > I have this hair brained idea to use the media type and get rid of the > endless list. > > Could this work? > > https://www.iana.org/assignments/media-types/media-types.xhtml > > This lists mime types for doh with rfc 8484 and 8427 so technically could > I just create a mime block for DoH and stop creating endless lists? > > https://www.iana.org/assignments/media-types/application/dns-message > https://www.iana.org/assignments/media-types/application/dns+json > > https://wiki.squid-cache.org/ConfigExamples/BlockingMimeTypes > > > > -----Original Message----- > From: Jonathan Lee <jonathanlee...@gmail.com> > Sent: Friday, January 10, 2025 2:38 PM > To: squid-users <squid-users@lists.squid-cache.org> > Subject: Squid url redirector and DoH > > Hello fellow Squid users, can you please help? I was wondering about this > for years, I have a massive block list with DoH servers. Do you really need > to block DoH if you want Squid to use a specific dns? Let’s say you are > using a dns over tls, to Google or cloudflare and your system sometimes > wants the DoH one.one.one.one is blocking that url really needed? My list > is so big it is like playing wackamole with DoH. If I block it I see all > the url requests if not I see IP addresses sometimes in the get requests. I > must have a ACL with thousands and thousands of DoH servers in it. > > What is recommended with sites that want DoH however clients must use > Squid per firewall ACLs? > Sent from my iPhone > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > -- Francesco
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
