|
|
|
|
|
|
by stupidthrottle
2626 days ago
|
|
|
> If a network operator can change DNS The network operator provides an IP through the DHCP response, which also includes proper DNS-settings for that network. How is this malicious or replacing “your” DNS? The DNS belongs to the network. |
|
|
> The DNS belongs to the network.
This is the question - should the network really be able to tell the client what IP corresponds with a DNS name? if no, then there's no good solution to blocking websites where you can't install things on the client's device. Meanwhile, if you say yes, then you must also say yes to ISPs being able to tell the client what IP corresponds to a DNS name. The only solution in an enterprise context is to buy new hardware (or install a software update if Cisco is feeling benevolent) that runs a DoH server. In a school-bocking-porn context, you could ban the biggest offenders via IP (mindgeek sites have a dedicated IP space I think, and you could cron your own DNS lookups for other non-CDN sites) and use SNI whitelist until eSNI is added to iOS.