[ITNOG] filtrare DoH

Damiano Verzulli damiano@verzulli.it
Lun 13 Maggio 2019 09:47:53 CEST


On 13/05/19 08:55, Antonio Prado via itnog wrote:
> ciao,
>
> a proposito del breve dibattito durante ITNOG5 su DoH, segnalo questo
> recente tweet
> https://twitter.com/latour_jacques/status/1127469595072258049

...dove leggo (la "riformattazione e' la mia):

----------------------------------------------------

Q: How to block #DNS #DoH from an enterprise point of view?

A: *Decrypt all outbound SSL/TLS* [...and...] filter out http-req-headers =
application/dns-message.

We implemented this on our Palo FW.

Note: Each DoH message is 4K

----------------------------------------------------

Non mi e' chiaro come sia possibile "Decrypt all outbound SSL/TLS" senza
interventi "invasivi" e "indolori" per l'utenza finale (nel mio caso: un
Ateneo).

Saluti,
DV


-- 

Damiano Verzulli
e-mail: damiano@verzulli.it
---
possible?ok:while(!possible){open_mindedness++}
---
"Technical people tend to fall into two categories: Specialists 
and Generalists. The Specialist learns more and more about a 
narrower and narrower field, until he eventually, in the limit, 
knows everything about nothing. The Generalist learns less and 
less about a wider and wider field, until eventually he knows 
nothing about everything." - William Stucke - AfrISPA
  http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html

-------------- parte successiva --------------
Un allegato HTML  stato rimosso...
URL: <http://lists.itnog.it/pipermail/itnog/attachments/20190513/e5c6cc1e/attachment.html>
-------------- parte successiva --------------
Un allegato non testuale  stato rimosso....
Nome:        signature.asc
Tipo:        application/pgp-signature
Dimensione:  195 bytes
Descrizione: OpenPGP digital signature
URL:         <http://lists.itnog.it/pipermail/itnog/attachments/20190513/e5c6cc1e/attachment.sig>


Maggiori informazioni sulla lista itnog