From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Should we block DoH by default? Date: Wed, 04 Mar 2020 10:11:47 +0000 Message-ID: <4E2571B2-5250-42CD-B608-0353D579E088@ipfire.org> In-Reply-To: <20200304060002.GC26106@tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0699223169288027473==" List-Id: --===============0699223169288027473== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 4 Mar 2020, at 06:00, Tapani Tarvainen wro= te: >=20 > On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter M=C3=BCller (peter.mueller(= a)ipfire.org) wrote: >=20 >> I like your suggestion, and see something like "reject any client >> connecting to any other DNS server on the internet" similar to blocking >> outbound connections to port 25 in order to prevent spamming. >>=20 >> In both cases and for most SOHO networks, there is little legitimate >> reason to do so. Regarding external DNS servers, IoT and similar things >> come to my mind, which have their resolvers hard-coded in the firmware. >=20 > Thinking about those, how about an option to *redirect* connections > to port 53 of external servers to IPFire rather than rejecting them? Yes, we could do that for 53 UDP and TCP, but not for 853 obviously. >=20 > --=20 > Tapani Tarvainen --===============0699223169288027473==--