<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">From an enterprise point of view (CIRA), we decrypt all outbound SSL/TLS and then created a rule to filter out http-req-headers = application/dns-message.
We implemented this on our Palo FW. Seems to work. See picture </span><a href="https://twitter.com/latour_jacques/status/1127469595072258049">https://twitter.com/latour_jacques/status/1127469595072258049</a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> dns-operations <dns-operations-bounces@dns-oarc.net>
<b>On Behalf Of </b>Rubens Kuhl<br>
<b>Sent:</b> May 12, 2019 2:51 PM<br>
<b>To:</b> Paul Vixie <paul@redbarn.org><br>
<b>Cc:</b> dns-operations@lists.dns-oarc.net<br>
<b>Subject:</b> [EXT] Re: [dns-operations] need recommendation for filtering outbound HTTPS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I would try ATS before resorting to Squid:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://trafficserver.apache.org/">https://trafficserver.apache.org/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">While I don't know if it actually works for your use case, I always found that codebase to be much cleaner than Squid. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Rubens<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 12 May 2019, at 14:10, Paul Vixie <<a href="mailto:paul@redbarn.org">paul@redbarn.org</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">i see that squid is not the only forward proxy available for HTTPS now. for
<br>
example:<br>
<br>
<a href="https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https">https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https</a><br>
<br>
is this the state of the art? to prevent DoH bypasses to the DNS monitoring <br>
and policy controls (see <a href="https://dnstap.info/">https://dnstap.info/</a> and
<a href="https://dnsrpz.info/">https://dnsrpz.info/</a>) i use <br>
on my private networks, i'm going to have to strip-search all outbound HTTPS <br>
that goes toward any wide-area IP address known or suspected to offer DoH, and <br>
i'm going to have to return 404 for any URI that matches a known DoH endpoint.<br>
<br>
under TLS 1.3, with excrypted SID, none of the old transparent MiTM methods <br>
will work any more. it's going to have to be an explicit proxy, which every <br>
HTTPS speaker inside my network will have to import and trust a certificate <br>
for.<br>
<br>
while i'd be happy to learn of commercial/proprietary solutions, which i'd use <br>
on $dayjob's corporate network, and would blog about, i also need to know how <br>
the F/L/OSS community is solving this kind of problem today. hopefully it's <br>
not squid, but does it really require that i run a patched version of nginx?<br>
<br>
-- <br>
Paul<br>
<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>