Google and others have been working on implementing DNS over HTTPS.
https://tools.ietf.org/id/draft-hoffman-dns-over-https-00.html
This allows bypass of things like RPZ, DNS blackholes, and other protections. All the more reason to start thinking about SSL inspection. The right to privacy is understandable, but protecting users, assets, and data is more important. This is just going to get worse and worse. Sinkholing ‘dns.google.com’ could stop it for a while, but one could just go grab the IPs for that domain and run DNS over HTTPS, bypassing protections. Last I checked, dns.google.com had 27 IPs.
Here’s my setup.
HostA (Debian-10.2.2.10) uses an internal bind forwarder (10.2.2.5). This bind server (10.2.2.5) has an RPZ and 1000s of blocked domains. On HostA, I install nodejs, clone a repo and run the nameserver. Then I set my testing system to use HostA as its DNS server instead of .5.
On HostA:
curl -sL https://deb.nodesource.com/setup_6.x -o nodesetup.sh bash nodesetup.sh apt-get install nodejs build-essential
Clone the repo below and nvm for deps.
git clone https://github.com/demmsec/node-Google-DNS-over-HTTPS.git cd node-Google-DNS-over-HTTPS nvm install
Run the server as root
sudo node index.js
Now I’m using HostA as my primary nameserver, and I can completely bypass RPZ. Very easy to do with a VM or RPI. With iSSL this can be inspected and prevented. One could also block related domains and IP addresses.
0 Comments