On 10/19/2018 10:47 AM, Matus UHLAR - fantomas wrote: >> On 10/19/2018 02:01 AM, Amish wrote: >>> Looks like ssl_bump is going to break once ESNI and Encrypted DNS are >>> universal. (Ofcourse it may be few years away) >>> >>> Probably only way out to detect the domain name would be by implementing >>> CONNECT proxy instead of transparent one. > On 19.10.18 09:51, Alex Rousskov wrote: >> Using forward proxies may not help as much: A CONNECT request that uses >> an IP address (instead of a domain name) is pretty much as uninformative >> as a TCP connection intercepted by a transparent proxy. > disabling DNS in the internal network could help that a bit. ... until the browser starts using DNS over HTTPS (with a pinned certificate of the "resolving" HTTPS server)? Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
