Menu
What's new
By:
Filters Better Search

DNSFilter bypassed with Android (Pie) 9's Private DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin said:
DoT standard port is 853, which is what I'm intercepting.

However DoH uses standard HTTPS port, making it impossible to intercept - one of the many reasons I consider DoH to be a stupid idea - makes proper network management/security impossible to achieve. Yes, it provides a very nice backdoor for malware to bypass security systems when accessing a C&C remote server.
Click to expand...

I wouldn't block/intercept DoT and I would suggest that blocking DoH would be the same - as most clients will fall back to DNS without security - which could be considered by the client as a MITM attack...

This is similar to one of the popular scripts on the forum here where HTTPS was an issue looking into requests and blocking them there, which from similar platform was viewed as MITM mangling...

It's perhaps a philosophical point - but DNS runs on trust relationships - which DNSSEC, DNSCrypt, DOT, and DOH are trying to sort through different means to ensure a verifiable level of trust...

Old-school DNS and hard-coded clients, yeah, push that back to the gateway resolver, that makes sense...
 
slobodan said:
If one plays with dnscrypt code, it could run on any port.
Click to expand...

DNSCrypt is not supported, and should be considered as obsolete with the endorsement of DoT by the IETF.
 
sfx2000 said:
I wouldn't block/intercept DoT and I would suggest that blocking DoH would be the same - as most clients will fall back to DNS without security - which could be considered by the client as a MITM attack...

This is similar to one of the popular scripts on the forum here where HTTPS was an issue looking into requests and blocking them there, which from similar platform was viewed as MITM mangling...

It's perhaps a philosophical point - but DNS runs on trust relationships - which DNSSEC, DNSCrypt, DOT, and DOH are trying to sort through different means to ensure a verifiable level of trust...

Old-school DNS and hard-coded clients, yeah, push that back to the gateway resolver, that makes sense...
Click to expand...

You need to read up on DNSFilter to understand the reason behind what I just did. I didn't just arbitrarily decided to block DoT, I only ensured that people using DNSFilter wouldn't see it bypassed by DoT clients.

If one intends to use DoT, then they wouldn't be using DNSFilter.

If I were a system administrator enforcing the use of OpenDNS (or any other security-focussed DNS service) to a subnet of my LAN, then I wouldn't want it bypassed by DoT/DoH/etc...
 
You must log in or register to reply here.

Similar threads

Preskitt.man
DNS Issue?? AX5800 Pro Issue??
Replies
2
Views
271
bbunge
bbunge
A
DNS Director - Issues when using Private DNS on mobile devices
Replies
15
Views
2K
Unetwork
U
J
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
Replies
2
Views
1K
jkbach
J
T
Troubles with VPN Client + DDNS Setup on GT-BE98
Replies
5
Views
339
Tuntenfisch
T
P
Custom DNS for Guest Network Possible?
Replies
15
Views
2K
Rhialto
R
Similar threads
Thread starter Title Forum Replies Date
D Solved Windows doesn't resolve Android device hostnames? Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 632 (members: 15, guests: 617)
Top