Search squid archive

Re: Squid url redirector and DoH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jonathan,
  the problem is: can you even see the HTTP being exchanged?
This requires TLS interception.

If you can, then it's relatively easy: you can to filter on (untested)

acl doh_post_ct Content-Type -i application/dns-message
acl doh_path_rfc8484 urlpath_regex ^/dns-query
acl doh_query_rfc8484 urlpath_regex dns=
acl doh_path_json urlpath_regex ^/resolve

http_access deny doh_post_ct doh_path_json
http_access deny doh_path_rfc8484 doh_query_rfc8484

If, however, you cannot inspect the HTTP payload in TLS, your only option is to blacklist all DOH providers by DNS name

On Sat, Jan 11, 2025 at 1:32 AM <jonathanlee571@xxxxxxxxx> wrote:
acl deny_rep_mime_doh rep_mime_type application/dns-message

for example would this work? I could get rid of a huge list and save memory if this solves my wackamole problem. I do not see anything on the Squid website but in theory that could resolve it right?

-----Original Message-----
From: jonathanlee571@xxxxxxxxx <jonathanlee571@xxxxxxxxx>
Sent: Friday, January 10, 2025 2:54 PM
To: 'squid-users' <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Squid url redirector and DoH

I have this hair brained idea to use the media type and get rid of the endless list.

Could this work?

https://www.iana.org/assignments/media-types/media-types.xhtml

This lists mime types for doh with rfc 8484 and 8427 so technically could I just create a mime block for DoH and stop creating endless lists?

https://www.iana.org/assignments/media-types/application/dns-message
https://www.iana.org/assignments/media-types/application/dns+json

https://wiki.squid-cache.org/ConfigExamples/BlockingMimeTypes



-----Original Message-----
From: Jonathan Lee <jonathanlee571@xxxxxxxxx>
Sent: Friday, January 10, 2025 2:38 PM
To: squid-users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Squid url redirector and DoH

Hello fellow Squid users, can you please help? I was wondering about this for years, I have a massive block list with DoH servers. Do you really need to block DoH if you want Squid to use a specific dns? Let’s say you are using a dns over tls, to Google or cloudflare and your system sometimes wants the DoH one.one.one.one is blocking that url really needed? My list is so big it is like playing wackamole with DoH. If I block it I see all the url requests if not I see IP addresses sometimes in the get requests. I must have a ACL with thousands and thousands of DoH servers in it.

What is recommended with sites that want DoH however clients must use Squid per firewall ACLs?
Sent from my iPhone


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users


--
    Francesco
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux