Wednesday, December 4, 2019

Is this a potential way to block DNS over HTTPS, or just a dumb idea?

I'm by no means any sort of expert on DNS or DoH, so this could be all nonsense I'm writing.

That said, rather than playing whack-a-mole with blocking individual DoH providers, would something like the following theoretically work?

I'm assuming that a DoH lookup request is very small sizewise.

Let's assume your router has a plugin/function called "XYZ" which checks any small packets going to an IP that's not a in previously cached list of "checked IP's".

Now, can the router "hold" that inital DoH request packet, while XYZ transmits it own DoH request to the destination IP - then, if a reply is received, that IP gets put on a blacklist, and the original packet is trashed? And, if no DoH reply is received, the IP is put on the previously mentioned cached list of "checked IP's", so no further checking is required for traffic going there (or at least for a time).

Would something like this work? Is this completely dumb? I'm assuming that this wouldn't break actual Cloudflare etc sites, as those don't share the DoH IP?



No comments:

Post a Comment