[squid-users] Squid and DoH
Matus UHLAR - fantomas
uhlar at fantomas.sk
Sat Feb 29 13:17:53 UTC 2020
>On 29/02/20 2:26 am, Andrea Venturoli wrote:
>> In some corporate environment it might be desiderable to have all
>> clients use the internal DNS.
>> This is easily done with firewalls until DNS-over-HTTP comes into play.
>>
>> How does Squid deals with this?
>> How to block it?
On 29.02.20 22:19, Amos Jeffries wrote:
>With ACL that identify the relevant messages:
>
> acl dns-query-url urlpath_regex ^/dns-query\??
> acl dns-req-message req_header Content-Type ^application/dns-message$
>
> acl doh_request any-of dns-query-url dns-req-message
>
> acl doh_reply rep_header Content-Type ^application/dns-message$
I guess DoH means dns over https and thus needs sslbump enabled. the easy
but limited way would be to disable connections to publicly available DoH
servers.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
More information about the squid-users
mailing list