undefined | Better HN

0 pointscomex7y ago0 comments

What exactly are the threats that you expect blocking DoH to protect you from?

If you are MitMing all encrypted traffic anyway, why not block whatever you want to block when someone actually tries to connect to it, rather than trying to prevent them from learning where it is?

0 comments

JohnFen7y ago

> What exactly are the threats that you expect blocking DoH to protect you from?

I want to maintain the ability to block the resolution of certain domain names.

The threat model is malicious software or websites that want to phone home. This includes reaching out to command-and-control servers, ad tracking servers, data exfiltration points, etc.

> If you are MitMing all encrypted traffic anyway, why not block whatever you want to block when someone actually tries to connect to it

Because most of the malicious actors don't use raw IP addresses as they can change frequently and without notice. They resolve a domain name instead. Blocking the domain name lookup is therefor more effective and less likely to result in blocking the wrong things than working with raw IP addresses.

This is not a replacement for other security measures (including IP-based blocks), but is is, in my opinion, a critical measure in and of itself.

j / k navigate · click thread line to collapse