undefined | Better HN

0 pointsacdha5y ago0 comments

If the network allows outbound traffic, they can hard-code an IP list - this is how Cloudflare’s 1.1.1.1 works and malware has done this for decades – or they can use local DNS to resolve a single name which will answer or redirect to a service which does further queries. Malware commonly used IRC for this until that started getting blocked on most networks, but imagine how easy it would be to miss, say, a bot which connects on 443 to a major hosting provider, like half the apps you run, searches Google.com, Twitter, etc., or hits an ad network for a keyword selected by the attacker.

In every case, once they get the server(s) to connect to you lose all further visibility unless you’re blocking 443 and forcing traffic through an inspection proxy.

0 comments

fiddlerwoaroof5y ago

Yeah, it’s an arms race, but I suspect it’s solvable: at least solvable enough that it’s feasible to just not use devices that break your policies. For things like Pi-Hole, the setup I describe will reduce much of the ad noise even without more complicated systems.

acdhaOP5y ago

The way to solve is either to segregate unmanaged devices onto a separate network and give up on controlling them or to implement the system I described. The same Pi running a DNS server can run a proxy which applies blocking policies on all hostnames.

xg155y ago

> The same Pi running a DNS server can run a proxy which applies blocking policies on all hostnames.

With DoH, it's easy to not just hardcode the resolver's IP but also the resolver's certificate. How would a proxy be able to intercept that?

1 more reply

xg155y ago

> If the network allows outbound traffic, they can hard-code an IP list - this is how Cloudflare’s 1.1.1.1 works and malware has done this for decades – or they can use local DNS to resolve a single name

Why can't you redirect all 53 traffic to a pihole and block that single name?

acdhaOP5y ago

In this case the client isn't sending traffic on port 53 at all — they already have the IP for the target server and so they just open a connection to it on port 443.

This is not hypothetical: it's how DoH works now but it's also how various things have worked for decades. Malware liked it for hiding command-and-control name queries from the few people who monitor DNS but it was also an option for anyone who had problems with buggy or malicious local DNS servers to add public resolvers like 8.8.8.8 or their own infrastructure into the search list so they didn't get support calls due to some ISP breaking their own DNS server.

The key part is remembering that this was always possible. DoH just meant that more people became aware of the gap they'd always had in their network management.

j / k navigate · click thread line to collapse

0 comments

fiddlerwoaroof5y ago

acdhaOP5y ago

xg155y ago

> The same Pi running a DNS server can run a proxy which applies blocking policies on all hostnames.

With DoH, it's easy to not just hardcode the resolver's IP but also the resolver's certificate. How would a proxy be able to intercept that?

1 more reply

xg155y ago

Why can't you redirect all 53 traffic to a pihole and block that single name?

acdhaOP5y ago

In this case the client isn't sending traffic on port 53 at all — they already have the IP for the target server and so they just open a connection to it on port 443.

The key part is remembering that this was always possible. DoH just meant that more people became aware of the gap they'd always had in their network management.

j / k navigate · click thread line to collapse