[squid-users] Squid url redirector and DoH

Francesco Chemolli gkinkie at gmail.com
Sat Jan 11 13:18:22 UTC 2025 

Hi Jonathan,
  the problem is: can you even see the HTTP being exchanged?
This requires TLS interception.

If you can, then it's relatively easy: you can to filter on (untested)

acl doh_post_ct Content-Type -i application/dns-message
acl doh_path_rfc8484 urlpath_regex ^/dns-query
acl doh_query_rfc8484 urlpath_regex dns=
acl doh_path_json urlpath_regex ^/resolve

http_access deny doh_post_ct doh_path_json
http_access deny doh_path_rfc8484 doh_query_rfc8484

If, however, you cannot inspect the HTTP payload in TLS, your only option
is to blacklist all DOH providers by DNS name

On Sat, Jan 11, 2025 at 1:32 AM <jonathanlee571 at gmail.com> wrote:

> acl deny_rep_mime_doh rep_mime_type application/dns-message
>
> for example would this work? I could get rid of a huge list and save
> memory if this solves my wackamole problem. I do not see anything on the
> Squid website but in theory that could resolve it right?
>
> -----Original Message-----
> From: jonathanlee571 at gmail.com <jonathanlee571 at gmail.com>
> Sent: Friday, January 10, 2025 2:54 PM
> To: 'squid-users' <squid-users at lists.squid-cache.org>
> Subject: RE: Squid url redirector and DoH
>
> I have this hair brained idea to use the media type and get rid of the
> endless list.
>
> Could this work?
>
> https://www.iana.org/assignments/media-types/media-types.xhtml
>
> This lists mime types for doh with rfc 8484 and 8427 so technically could
> I just create a mime block for DoH and stop creating endless lists?
>
> https://www.iana.org/assignments/media-types/application/dns-message
> https://www.iana.org/assignments/media-types/application/dns+json
>
> https://wiki.squid-cache.org/ConfigExamples/BlockingMimeTypes
>
>
>
> -----Original Message-----
> From: Jonathan Lee <jonathanlee571 at gmail.com>
> Sent: Friday, January 10, 2025 2:38 PM
> To: squid-users <squid-users at lists.squid-cache.org>
> Subject: Squid url redirector and DoH
>
> Hello fellow Squid users, can you please help? I was wondering about this
> for years, I have a massive block list with DoH servers. Do you really need
> to block DoH if you want Squid to use a specific dns? Let’s say you are
> using a dns over tls, to Google or cloudflare and your system sometimes
> wants the DoH one.one.one.one is blocking that url really needed? My list
> is so big it is like playing wackamole with DoH. If I block it I see all
> the url requests if not I see IP addresses sometimes in the get requests. I
> must have a ACL with thousands and thousands of DoH servers in it.
>
> What is recommended with sites that want DoH however clients must use
> Squid per firewall ACLs?
> Sent from my iPhone
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>


-- 
    Francesco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250111/e1a67960/attachment.htm>

More information about the squid-users mailing list