Squid and DoH

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid and DoH

Andrea Venturoli
Hello.

In some corporate environment it might be desiderable to have all
clients use the internal DNS.
This is easily done with firewalls until DNS-over-HTTP comes into play.

How does Squid deals with this?
How to block it?

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and DoH

Amos Jeffries
Administrator
On 29/02/20 2:26 am, Andrea Venturoli wrote:
> Hello.
>
> In some corporate environment it might be desiderable to have all
> clients use the internal DNS.
> This is easily done with firewalls until DNS-over-HTTP comes into play.
>
> How does Squid deals with this?

DoH is just HTTP messages like any other. Squid handles them the same ways.

> How to block it?

With ACL that identify the relevant messages:

  acl dns-query-url urlpath_regex ^/dns-query\??
  acl dns-req-message req_header Content-Type ^application/dns-message$

  acl doh_request any-of dns-query-url dns-req-message

  acl doh_reply rep_header Content-Type ^application/dns-message$


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and DoH

Matus UHLAR - fantomas
>On 29/02/20 2:26 am, Andrea Venturoli wrote:
>> In some corporate environment it might be desiderable to have all
>> clients use the internal DNS.
>> This is easily done with firewalls until DNS-over-HTTP comes into play.
>>
>> How does Squid deals with this?
>> How to block it?

On 29.02.20 22:19, Amos Jeffries wrote:
>With ACL that identify the relevant messages:
>
>  acl dns-query-url urlpath_regex ^/dns-query\??
>  acl dns-req-message req_header Content-Type ^application/dns-message$
>
>  acl doh_request any-of dns-query-url dns-req-message
>
>  acl doh_reply rep_header Content-Type ^application/dns-message$

I guess DoH means dns over https and thus needs sslbump enabled.  the easy
but limited way would be to disable connections to publicly available DoH
servers.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and DoH

Andrea Venturoli
On 2020-02-29 14:17, Matus UHLAR - fantomas wrote:

> I guess DoH means dns over https and thus needs sslbump enabled.  the easy
> but limited way would be to disable connections to publicly available DoH
> servers.

Thanks.
Is someone maintaining such a list?

  bye
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and DoH

Andrea Venturoli
In reply to this post by Amos Jeffries
On 2020-02-29 10:19, Amos Jeffries wrote:

> With ACL that identify the relevant messages:
>
>    acl dns-query-url urlpath_regex ^/dns-query\??
>    acl dns-req-message req_header Content-Type ^application/dns-message$
>
>    acl doh_request any-of dns-query-url dns-req-message
>
>    acl doh_reply rep_header Content-Type ^application/dns-message$

Thanks a lot.
I thought maybe there was a specific ready-made keyword, but the above
is fine.

  bye
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Re: Squid and DoH

Ralf Hildebrandt
In reply to this post by Andrea Venturoli
* Andrea Venturoli <[hidden email]>:
> On 2020-02-29 14:17, Matus UHLAR - fantomas wrote:
>
> > I guess DoH means dns over https and thus needs sslbump enabled.  the easy
> > but limited way would be to disable connections to publicly available DoH
> > servers.
>
> Thanks.
> Is someone maintaining such a list?

There's one in the wikipedia entry.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Re: Squid and DoH

Ralf Hildebrandt
* Ralf Hildebrandt <[hidden email]>:

> * Andrea Venturoli <[hidden email]>:
> > On 2020-02-29 14:17, Matus UHLAR - fantomas wrote:
> >
> > > I guess DoH means dns over https and thus needs sslbump enabled.  the easy
> > > but limited way would be to disable connections to publicly available DoH
> > > servers.
> >
> > Thanks.
> > Is someone maintaining such a list?
>
> There's one in the wikipedia entry.

In the German entry: https://de.wikipedia.org/wiki/DNS_over_HTTPS

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Re: Squid and DoH

Marcus Kool
In reply to this post by Ralf Hildebrandt
On 02/03/2020 08:46, Ralf Hildebrandt wrote:

> * Andrea Venturoli <[hidden email]>:
>> On 2020-02-29 14:17, Matus UHLAR - fantomas wrote:
>>
>>> I guess DoH means dns over https and thus needs sslbump enabled.  the easy
>>> but limited way would be to disable connections to publicly available DoH
>>> servers.
>> Thanks.
>> Is someone maintaining such a list?
> There's one in the wikipedia entry.
>
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
One can also use the URL database of URLfilterDB which includes the dnsoverhttps category.
See also https://www.urlfilterdb.com/suggestentries/lookup_url.html for an online database query.

Marcus

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users