|
|
|
|
|
|
by throw0101a
2547 days ago
|
|
|
> * That's a separate threat model. DoH addresses surveillance, censorship, and injection by ISPs.* As does DNS-over-TLS. Though since it has an official IANA port, this can be blocked. > You can further, and more appropriately IMO, defend against such threats at the firewall level, by blocking network space (rather than domains) and ports associated with malware. And if malware leverages Cloudflare, am I supposed to block that? The ports associated with malware may be HTTPS. |
|
|
You seem to be manufacturing a hypothetical threat that isn't actually impacted by DoH, to no clear end.
Malware already exploits specific IP spaces (DUL, datacentres, AWS), and ports (20, 22, 25, 53, 80, 443, ...), as well as vectors such as adtech networks, IFRAME, and XHR. Those are blocked as best as possible, leveraging numerous signature, to varying degrees of effectiveness.
Methods are not perfect. But if they on net reduce or manage risks more effectively, they're a net win.
Again, DoH, either in the browser or at the LAN level, addresses a specific set of known risks. And I'm not seeing the caveats you're suggesting as either more severe or non-mitigable.