[dns-operations] need recommendation for filtering outbound HTTPS

Paul Vixie paul at redbarn.org
Sun May 12 07:10:52 UTC 2019

i see that squid is not the only forward proxy available for HTTPS now. for 


is this the state of the art? to prevent DoH bypasses to the DNS monitoring 
and policy controls (see https://dnstap.info/ and https://dnsrpz.info/) i use 
on my private networks, i'm going to have to strip-search all outbound HTTPS 
that goes toward any wide-area IP address known or suspected to offer DoH, and 
i'm going to have to return 404 for any URI that matches a known DoH endpoint.

under TLS 1.3, with excrypted SID, none of the old transparent MiTM methods 
will work any more. it's going to have to be an explicit proxy, which every 
HTTPS speaker inside my network will have to import and trust a certificate 

while i'd be happy to learn of commercial/proprietary solutions, which i'd use 
on $dayjob's corporate network, and would blog about, i also need to know how 
the F/L/OSS community is solving this kind of problem today. hopefully it's 
not squid, but does it really require that i run a patched version of nginx?


More information about the dns-operations mailing list