[squid-users] Squid and DoH
Amos Jeffries
squid3 at treenet.co.nz
Sat Feb 29 09:19:48 UTC 2020
On 29/02/20 2:26 am, Andrea Venturoli wrote:
> Hello.
>
> In some corporate environment it might be desiderable to have all
> clients use the internal DNS.
> This is easily done with firewalls until DNS-over-HTTP comes into play.
>
> How does Squid deals with this?
DoH is just HTTP messages like any other. Squid handles them the same ways.
> How to block it?
With ACL that identify the relevant messages:
acl dns-query-url urlpath_regex ^/dns-query\??
acl dns-req-message req_header Content-Type ^application/dns-message$
acl doh_request any-of dns-query-url dns-req-message
acl doh_reply rep_header Content-Type ^application/dns-message$
Amos
More information about the squid-users
mailing list