[dns-operations] need recommendation for filtering outbound HTTPS
Paul Vixie
paul at redbarn.org
Sun May 12 07:10:52 UTC 2019
i see that squid is not the only forward proxy available for HTTPS now. for
example:
https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https
is this the state of the art? to prevent DoH bypasses to the DNS monitoring
and policy controls (see https://dnstap.info/ and https://dnsrpz.info/) i use
on my private networks, i'm going to have to strip-search all outbound HTTPS
that goes toward any wide-area IP address known or suspected to offer DoH, and
i'm going to have to return 404 for any URI that matches a known DoH endpoint.
under TLS 1.3, with excrypted SID, none of the old transparent MiTM methods
will work any more. it's going to have to be an explicit proxy, which every
HTTPS speaker inside my network will have to import and trust a certificate
for.
while i'd be happy to learn of commercial/proprietary solutions, which i'd use
on $dayjob's corporate network, and would blog about, i also need to know how
the F/L/OSS community is solving this kind of problem today. hopefully it's
not squid, but does it really require that i run a patched version of nginx?
--
Paul
More information about the dns-operations
mailing list