M$ Windows, Android and Apple are already trying to bypass DNS-blockers.

I am quite pleased by the performance of my two CLI-instances of NextDNS. Everything at my place is running fine, lots of lookups get blocked.

So at this stage to further harden DNS-blocking, I have implemented a redirect on port 53 outgoing pointing back to my CLI-instances dmasqing their redirection. Viewing the logs for hitting those rules, I have seen connection lookups from many internal devices to Google-DNS servers (Android devices, Apple-Devices with Google-apps), German Telekom DNS-servers  (Microsoft Windows 11 mainly) and other servers, by all means trying to bypass their known DNS-servers.

While this is not very new to me, it is bugging me, that in future times, when future systems evolve, DNS-blocking is a thing of the past that will just put you in fake safety assumption .

I can block DNS/DoT lookups only on known ports, but cannot block DoH lookups without implementing a IDS/IPS system that sniffs all https-traffic.

And as Windows 11 / Server 2022 already have native DoH techniques implemented and I am pretty sure, they already use it.

The eternal cat-and-mouse game is already happening on DNS-turf....

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 6 mths agoLast active
  • 107Views
  • 1 Following