That means it doesn't use port 53, in which case there's nothing DNSFilter can do.
Well there's some good news. If I'd actually bothered to spend more than 30 seconds reading that article I linked to
I would have realised that it's DoT only, not DoH.
Have to think about it some more....but first thought is that it wouldn't work since the client thinks it's talking to one server, but in reality talking to a different server. My thinking is that this would break both DNSSEC and TLS encryption.
I'm not sure how deep into the packets that the Merlin firmware can look, but I use Watchguard UTM devices at my client locations. In their configuration, I have the HTTP and HTTPS proxies set to block any traffic that has the response content type defined as "application/dns-message", so that it blocks any DNS traffic sent using those protocols.That doesn't seem much different from "normal" DNS. Just about every Android device I've owned (i.e. smart TVs, media boxes, phones, etc.) is full of hard-coded calls to 8.8.8.8.
The difference is that the new protocols allow an app to define a DNS server that doesn't even use the global DNS and can define any port that it wants to. It could point to a DNS server that defines snbforums.com (or perhaps your banking site) to any IP address that it wants to. Is that possible using standard DNS? I don't pretend to know that much about the underpinnings of DNS, but what I've read about DoH and DoT led me to block them, mostly because I have to make certain that my clients data is protected to HIPAA standards. I also block ALL standard DNS servers on their networks except a few that are trusted. All other port 53 traffic is blocked. Yes, paranoia reigns supreme.
Yes, of course it is. An application can be written to use any port or server it wants, for whatever purpose, be that DNS or something else (assuming such a server/port exists). The Netflix app typically does this for it's DNS lookups. But just because one application is written that way doesn't mean it's somehow magically forcing other applications to do the same thing.
But yes, there's the rub. With "old" DNS it was easy for you (or anybody else) to "hack it" by intercepting the traffic and forcing it to go to a server of your (or their) choosing. The end user would be none the wiser. With DoH the DNS requests are indistinguishable from any other HTTPS traffic so you can't "hack it" any more.I don't pretend to know that much about the underpinnings of DNS, but what I've read about DoH and DoT led me to block them, mostly because I have to make certain that my clients data is protected to HIPAA standards. I also block ALL standard DNS servers on their networks except a few that are trusted. All other port 53 traffic is blocked. Yes, paranoia reigns supreme.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
