[dns-operations] [EXT] Re: need recommendation for filtering outbound HTTPS

Jacques Latour Jacques.Latour at cira.ca
Sun May 12 07:57:59 UTC 2019

>From an enterprise point of view (CIRA), we decrypt all outbound SSL/TLS and then created a rule to filter out http-req-headers = application/dns-message. We implemented this on our Palo FW. Seems to work.  See picture  https://twitter.com/latour_jacques/status/1127469595072258049

From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of Rubens Kuhl
Sent: May 12, 2019 2:51 PM
To: Paul Vixie <paul at redbarn.org>
Cc: dns-operations at lists.dns-oarc.net
Subject: [EXT] Re: [dns-operations] need recommendation for filtering outbound HTTPS

I would try ATS before resorting to Squid:

While I don't know if it actually works for your use case, I always found that codebase to be much cleaner than Squid.


On 12 May 2019, at 14:10, Paul Vixie <paul at redbarn.org<mailto:paul at redbarn.org>> wrote:

i see that squid is not the only forward proxy available for HTTPS now. for


is this the state of the art? to prevent DoH bypasses to the DNS monitoring
and policy controls (see https://dnstap.info/ and https://dnsrpz.info/) i use
on my private networks, i'm going to have to strip-search all outbound HTTPS
that goes toward any wide-area IP address known or suspected to offer DoH, and
i'm going to have to return 404 for any URI that matches a known DoH endpoint.

under TLS 1.3, with excrypted SID, none of the old transparent MiTM methods
will work any more. it's going to have to be an explicit proxy, which every
HTTPS speaker inside my network will have to import and trust a certificate

while i'd be happy to learn of commercial/proprietary solutions, which i'd use
on $dayjob's corporate network, and would blog about, i also need to know how
the F/L/OSS community is solving this kind of problem today. hopefully it's
not squid, but does it really require that i run a patched version of nginx?


dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
dns-operations mailing list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/00c27303/attachment.html>

More information about the dns-operations mailing list