[dns-operations] [EXT] Re: need recommendation for filtering outbound HTTPS

[Paul Vixie]

On Sunday, 12 May 2019 07:57:59 UTC Jacques Latour wrote:
> From an enterprise point of view (CIRA), we decrypt all outbound SSL/TLS and
> then created a rule to filter out http-req-headers =
> application/dns-message. We implemented this on our Palo FW. Seems to work.
>  See picture  https://twitter.com/latour_jacques/status/1127469595072258049

to the best of my own knowledge, this requires you to force a downgrade to TLS 
1.2, and some clients who "know" that the real remote server speaks TLS 1.3, 
will fail. presumably in your enterprise network you can tell your employees 
not to use such clients, or to stop trying to reach such servers. not all of 
us will have that level of control over our client populations.

still, it's interesting, and i hope that Palo Alto Networks will release a 
white paper on the specific topic of "how to block RFC 8484 DoH".

-- 
Paul