[dns-operations] [EXT] Re: need recommendation for filtering outbound HTTPS

Grant Taylor gtaylor at tnetconsulting.net
Sun May 12 16:03:33 UTC 2019

On 5/12/19 1:57 AM, Jacques Latour wrote:
> From an enterprise point of view (CIRA), we decrypt all outbound 
> SSL/TLS and then created a rule to filter out http-req-headers = 
> application/dns-message. We implemented this on our Palo FW. Seems to 
> work.
Doesn't this require control of one of the TLS 1.3 endpoints such that 
you can specify parameters so that your MitM inspection system can get 
into the encryption stream?

I don't see how that's going to help in the scenario (as I understand 
it) that Paul is describing.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/15683e9f/attachment.bin>

More information about the dns-operations mailing list