|
|
|
|
|
|
by dredmorbius
2541 days ago
|
|
|
That's a separate threat model. DoH addresses surveillance, censorship, and injection by ISPs. One DNSmasq already addresses in part through various asblock and malware-blocking DNS blacklists. I'm using one such that updates hourly or better. Requests to or for specific domains my be blocked (and are). Keep in mind that by using DNSmasq at a centralised LAN server, you now have a single point of control to defend against such threats, rather than relying on multiple device- and application-specific points of control. Though software (such as browsers) offerring its own defences against such threats is in no way hindered. You can further, and more appropriately IMO, defend against such threats at the firewall level, by blocking network space (rather than domains) and ports associated with malware. At the OS level, firewalls such as Little Snitch monitor and block traffic at the application / process and user level, and may detect, alert on, and/or block such malware. |
|
|
As does DNS-over-TLS. Though since it has an official IANA port, this can be blocked.
> You can further, and more appropriately IMO, defend against such threats at the firewall level, by blocking network space (rather than domains) and ports associated with malware.
And if malware leverages Cloudflare, am I supposed to block that? The ports associated with malware may be HTTPS.