Git Product home page Git Product logo

thegreatwall's Introduction

TitleList

What is DNS-over-HTTPS (DoH) ?

DoH is a protocol introduced in 2018 as a solution to improve DNS security by encrypting queries through HTTPS, which is advertised as a method to prevent your ISP from tracking your activity, allow you to bypass censorship and protect you against DNS data manipulation (MiMT). In the start of 2020, popular web-browser like Mozilla has started to turn DoH by default in the US and others are experimenting it. Microsoft is also considering the addition of DoH in Windows 10.

But wait... DoH isn't supposed to be a good thing ?

While bringing encryption is always an important thing, including in oppressive countries, DoH isn't a bulletproof solution and may actually cause more problem than it solve. The rise of service providing DoH, especially US companies like Google or Cloudflare, could harm your privacy by offering additional tracking capabilities (ex : TLS resumption, which allow to reuse a previous encrypted state for future connection to the same server, could be used to track your browser across IP adress changes) and centralizing DNS traffic into popular DoH resolver.

But moreover, programs and malwares could abuse public DoH provider to evade DNS filtering (like Pihole) and communicate with telemetry service or command-and-control server. See Godlua malware.

โš ๏ธ Disclaimer

Theses lists (updated every month) has been created for security purpose ONLY. There are not a tool to prevent your employee from bypassing the fact that you're monitoring/blocking their online activity ! If you suspect your entity to do so, consider using a VPN or Tor Browser.

You can also block port 853 for DNS over TLS (DoT)

An alternative way : increase DoH visibility

Blocking DoH entirely might not be the best approch for everyone, especially if your company wants the benefits of using encrypted DNS while being able to analyse suspicious communications. This paper demonstrate the possibility of redirecting all traffic from port 453 to PolarProxy and Security Onion, allowing you to analyse DoH traffic in an unencrypted form.

Additionnal ressources ๐Ÿ“˜

* Wall icon drawed by Eucalyp (flaticon.com)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.