[dns-operations] [EXT] Re: need recommendation for filtering outbound HTTPS
paul at redbarn.org
Thu May 16 18:13:15 UTC 2019
On Sunday, 12 May 2019 07:57:59 UTC Jacques Latour wrote:
> From an enterprise point of view (CIRA), we decrypt all outbound SSL/TLS and
> then created a rule to filter out http-req-headers =
> application/dns-message. We implemented this on our Palo FW. Seems to work.
> See picture https://twitter.com/latour_jacques/status/1127469595072258049
to the best of my own knowledge, this requires you to force a downgrade to TLS
1.2, and some clients who "know" that the real remote server speaks TLS 1.3,
will fail. presumably in your enterprise network you can tell your employees
not to use such clients, or to stop trying to reach such servers. not all of
us will have that level of control over our client populations.
still, it's interesting, and i hope that Palo Alto Networks will release a
white paper on the specific topic of "how to block RFC 8484 DoH".
More information about the dns-operations