Community discussions

MikroTik App
 
cunegorg
just joined
Topic Author
Posts: 3
Joined: Fri Jan 14, 2022 1:19 am

Layer7 DoH blocking

Wed Sep 14, 2022 1:15 pm

Hello there!

I'm using my faithful mikrotik as DNS server using an external service (nextdns) as DoH resolver.

I have a rule to redirect all tcp/udp 53 port requests to mikrotik and it's working fine.

I would like to improve privacy by blocking all DoH requests in forward chain, is that possible using L7 firewall?

Did anyone manage something like this?

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer7 DoH blocking

Wed Sep 14, 2022 2:17 pm

Scordatelo.
 
cunegorg
just joined
Topic Author
Posts: 3
Joined: Fri Jan 14, 2022 1:19 am

Re: Layer7 DoH blocking

Wed Sep 14, 2022 7:06 pm

Is there any specific reason i have to forget about it?

Thanks
 
akakua
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Apr 06, 2020 4:52 pm

Re: Layer7 DoH blocking

Wed Sep 14, 2022 7:12 pm

Answer why you use doh as domain name resolver - this will be reason.
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: Layer7 DoH blocking

Wed Sep 14, 2022 7:40 pm

Not an expert as @rextended is, but let me give you my point;
as you I'm using external DNS service for my router, and I want to make sure some stupid devices are not using other services, redirect DNS requests from LAN devices to port 53 it's easy using NAT firewall rules;
- DoT, drop dst-port=853 from RAW + tls-host=!*nextdns* (my Android phone is using NextDNS and I don't want to be blocked)
- DoH, drop dst-port=443 from RAW + dst-address-list="DoH list"
this list contains IP addresses from CloudFlare and you'll block also some websites

what I'm still learning is if tls-host= is useful, browsers are using DoH via TLS1.3 encrypted (thanks rextended for the info in a previous post) if you use tls-host exception for DoH rule this will be ignored, not problem with phones that are using DoT or DoH with TLS1.2 (still testing this).
If you use DoH with Chrome browser and you drop DoH IP addresses it's not switching to the standard DNS, Firefox is.

Something could not be correct.

found many useful informations here: https://github.com/jpgpi250/piholemanual
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer7 DoH blocking  [SOLVED]

Wed Sep 14, 2022 8:00 pm

The OP question is
[…] blocking all DoH requests in forward chain, is that possible using L7 firewall? […]
The answer still "Forget it", because Layer7 on https is completely useless,
and, ignoring than is not what is requested, use firewall rule to drop incomplete DoH list, is useless...
For example, (I just check) on Firefox is included NextDNS DoH resolver, that use dynamic CDN IPs,
and the list can not have the same IPs used also for distribute windows update, youtube videos, or other useful services,
that do not have any to do with DoH, but are on same CDN...
 
cunegorg
just joined
Topic Author
Posts: 3
Joined: Fri Jan 14, 2022 1:19 am

Re: Layer7 DoH blocking

Thu Sep 15, 2022 10:14 am

Thank you all for your answers.

The idea here is to have a block for DoH requests that is dynamic, the "block list" needs constant update and searching and as rextended pointed out you risk to block something else too.

So i guess the thread is "solved" but i ask if you have any possible suggestions to block DoH forward requests or i should use a firewall.

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer7 DoH blocking

Thu Sep 15, 2022 10:30 am

Il problema finale risiede nel fatto che il DoH è stato creato proprio per non essere filtrato:
Usa una porta che se la blocchi, blocca tutto il traffico,
usa IP su CDN che se li blocchi blocchi anche altri servizi.
È per questo che è nato, e lo fa bene...
(in realtà è nato per prendere per il culo la gente con una presunta privacy, in modo di cercare di prendere il controllo dei DNS... chi controlla i DNS controlla il mondo...)

[EN]
The "final problem" lies in the fact that the DoH was created precisely to not be filtered:
Use a door that blocks it, blocks all traffic,
it uses IP on CDN which if you block them blocks other services as well.
That's why he was born, and he does it well...
(actually it was born to bullshit people with alleged privacy, in order to try to take control of the DNS... who controls the DNS controls the world...)

Who is online

Users browsing this forum: Ahrefs [Bot], mvz71, NetHorror, TheCat12 and 95 guests