[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

Grant Taylor gtaylor at tnetconsulting.net
Thu May 16 16:44:34 UTC 2019

On 5/16/19 12:47 AM, Mukund Sivaraman wrote:
> This is a clever idea. There are popular applications that don't use DNS. 
> For an app such as Telegram, its "datacenters" [1] have a fixed set of 
> addresses that can be whitelisted, but there are others like Bittorrent's 
> DHT (Kademlia) where the addresses are not a fixed set. Any address 
> based peer to peer activity such as SIP will be affected.

I wonder if there's a way to leverage IPTables' Connection Tracking as a 
source of information to modify ipset(s) / recent list(s).

As I type this, I wonder if there's a way to leverage IPTables' 
Connection Tracking directly for this.  Presuming that the proper 
helpers are in use, connection tracking has the the information and the 
ability to filter (allow / deny) the traffic.

> If the filtering is limited to TCP port 443, the approach seems promising 
> as almost nothing popular is going to use TLS without DNS (Telegram is 
> still an exception). It seems cleverly thought of.

That's the wonderful thing about IPTables.  It's trivial to take the 
ITPables shaped Lego bricks and put them together any way want.  }:-)

> 1. 
> https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/jni/tgnet/ConnectionsManager.cpp#L1590
> The goal of supporters of DoH is to make interference impossible to 
> perform. When the traffic is indistinguishable, it is going to be very 
> difficult or impossible.

I know.  But I don't like it.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190516/b0f920a7/attachment.bin>

More information about the dns-operations mailing list