From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tapani Tarvainen To: development@lists.ipfire.org Subject: Re: Should we block DoH by default? Date: Wed, 04 Mar 2020 08:00:02 +0200 Message-ID: <20200304060002.GC26106@tarvainen.info> In-Reply-To: <1d0ca483-76bf-9588-a836-4344e5c14342@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3188225821969498958==" List-Id: --===============3188225821969498958== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter M=C3=BCller (peter.mueller(a)= ipfire.org) wrote: > I like your suggestion, and see something like "reject any client > connecting to any other DNS server on the internet" similar to blocking > outbound connections to port 25 in order to prevent spamming. >=20 > In both cases and for most SOHO networks, there is little legitimate > reason to do so. Regarding external DNS servers, IoT and similar things > come to my mind, which have their resolvers hard-coded in the firmware. Thinking about those, how about an option to *redirect* connections to port 53 of external servers to IPFire rather than rejecting them? --=20 Tapani Tarvainen --===============3188225821969498958==--