What's new

DNSFilter bypassed with Android (Pie) 9's Private DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DoT standard port is 853, which is what I'm intercepting.

However DoH uses standard HTTPS port, making it impossible to intercept - one of the many reasons I consider DoH to be a stupid idea - makes proper network management/security impossible to achieve. Yes, it provides a very nice backdoor for malware to bypass security systems when accessing a C&C remote server.

I wouldn't block/intercept DoT and I would suggest that blocking DoH would be the same - as most clients will fall back to DNS without security - which could be considered by the client as a MITM attack...

This is similar to one of the popular scripts on the forum here where HTTPS was an issue looking into requests and blocking them there, which from similar platform was viewed as MITM mangling...

It's perhaps a philosophical point - but DNS runs on trust relationships - which DNSSEC, DNSCrypt, DOT, and DOH are trying to sort through different means to ensure a verifiable level of trust...

Old-school DNS and hard-coded clients, yeah, push that back to the gateway resolver, that makes sense...
 
If one plays with dnscrypt code, it could run on any port.

DNSCrypt is not supported, and should be considered as obsolete with the endorsement of DoT by the IETF.
 
I wouldn't block/intercept DoT and I would suggest that blocking DoH would be the same - as most clients will fall back to DNS without security - which could be considered by the client as a MITM attack...

This is similar to one of the popular scripts on the forum here where HTTPS was an issue looking into requests and blocking them there, which from similar platform was viewed as MITM mangling...

It's perhaps a philosophical point - but DNS runs on trust relationships - which DNSSEC, DNSCrypt, DOT, and DOH are trying to sort through different means to ensure a verifiable level of trust...

Old-school DNS and hard-coded clients, yeah, push that back to the gateway resolver, that makes sense...

You need to read up on DNSFilter to understand the reason behind what I just did. I didn't just arbitrarily decided to block DoT, I only ensured that people using DNSFilter wouldn't see it bypassed by DoT clients.

If one intends to use DoT, then they wouldn't be using DNSFilter.

If I were a system administrator enforcing the use of OpenDNS (or any other security-focussed DNS service) to a subnet of my LAN, then I wouldn't want it bypassed by DoT/DoH/etc...
 
Similar threads
Thread starter Title Forum Replies Date
D Solved Windows doesn't resolve Android device hostnames? Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top