From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tapani Tarvainen <ipfire@tapanitarvainen.fi>
To: development@lists.ipfire.org
Subject: Re: Should we block DoH by default?
Date: Wed, 04 Mar 2020 08:00:02 +0200
Message-ID: <20200304060002.GC26106@tarvainen.info>
In-Reply-To: <1d0ca483-76bf-9588-a836-4344e5c14342@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3188225821969498958=="
List-Id: <development.lists.ipfire.org>

--===============3188225821969498958==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter M=C3=BCller (peter.mueller(a)=
ipfire.org) wrote:

> I like your suggestion, and see something like "reject any client
> connecting to any other DNS server on the internet" similar to blocking
> outbound connections to port 25 in order to prevent spamming.
>=20
> In both cases and for most SOHO networks, there is little legitimate
> reason to do so. Regarding external DNS servers, IoT and similar things
> come to my mind, which have their resolvers hard-coded in the firmware.

Thinking about those, how about an option to *redirect* connections
to port 53 of external servers to IPFire rather than rejecting them?

--=20
Tapani Tarvainen

--===============3188225821969498958==--