From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Should we block DoH by default?
Date: Wed, 04 Mar 2020 10:11:47 +0000
Message-ID: <4E2571B2-5250-42CD-B608-0353D579E088@ipfire.org>
In-Reply-To: <20200304060002.GC26106@tarvainen.info>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0699223169288027473=="
List-Id: <development.lists.ipfire.org>

--===============0699223169288027473==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable



> On 4 Mar 2020, at 06:00, Tapani Tarvainen <ipfire(a)tapanitarvainen.fi> wro=
te:
>=20
> On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter M=C3=BCller (peter.mueller(=
a)ipfire.org) wrote:
>=20
>> I like your suggestion, and see something like "reject any client
>> connecting to any other DNS server on the internet" similar to blocking
>> outbound connections to port 25 in order to prevent spamming.
>>=20
>> In both cases and for most SOHO networks, there is little legitimate
>> reason to do so. Regarding external DNS servers, IoT and similar things
>> come to my mind, which have their resolvers hard-coded in the firmware.
>=20
> Thinking about those, how about an option to *redirect* connections
> to port 53 of external servers to IPFire rather than rejecting them?

Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.

>=20
> --=20
> Tapani Tarvainen


--===============0699223169288027473==--