[fiddlerwoaroof]

Well, it’s more complicated, but in theory you could do some deep packet inspection that understands the protocols: personally, I’d use this to break DoH connections (for every host name seen in SNI, attempt a DoH query, if it resolves, reset the connection) and attempt to force everything to fall back to plain DNS. Then, whitelist a couple outbound ports (on most networks, maybe just 443 + 53?) and block VPNs.

[dhaavi]

With the Portmaster (https://github.com/safing/portmaster) we're going in that direction, but it will take a couple more years to be able to go that deep. Have a look!

[judge2020]

> or every host name seen in SNI

Not going to be possible in a few years or so:

https://news.ycombinator.com/item?id=25344311

[dhaavi]

meh. The outer SNI and the IP address still tell a lot about what you are doing online.

[fiddlerwoaroof]

Also, with things like this, you can just reset connections using HTTPS features you don’t support. It might eventually become painful, but it’ll be fine for the near future. And, if enough enterprise middleboxes do this, the standards will be DOA.