[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH
gtaylor at tnetconsulting.net
Thu May 16 16:44:34 UTC 2019
On 5/16/19 12:47 AM, Mukund Sivaraman wrote:
> This is a clever idea. There are popular applications that don't use DNS.
> For an app such as Telegram, its "datacenters"  have a fixed set of
> addresses that can be whitelisted, but there are others like Bittorrent's
> DHT (Kademlia) where the addresses are not a fixed set. Any address
> based peer to peer activity such as SIP will be affected.
I wonder if there's a way to leverage IPTables' Connection Tracking as a
source of information to modify ipset(s) / recent list(s).
As I type this, I wonder if there's a way to leverage IPTables'
Connection Tracking directly for this. Presuming that the proper
helpers are in use, connection tracking has the the information and the
ability to filter (allow / deny) the traffic.
> If the filtering is limited to TCP port 443, the approach seems promising
> as almost nothing popular is going to use TLS without DNS (Telegram is
> still an exception). It seems cleverly thought of.
That's the wonderful thing about IPTables. It's trivial to take the
ITPables shaped Lego bricks and put them together any way want. }:-)
> The goal of supporters of DoH is to make interference impossible to
> perform. When the traffic is indistinguishable, it is going to be very
> difficult or impossible.
I know. But I don't like it.
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
More information about the dns-operations