[ITNOG] filtrare DoH
Damiano Verzulli
damiano@verzulli.it
Lun 13 Maggio 2019 09:47:53 CEST
On 13/05/19 08:55, Antonio Prado via itnog wrote:
> ciao,
>
> a proposito del breve dibattito durante ITNOG5 su DoH, segnalo questo
> recente tweet
> https://twitter.com/latour_jacques/status/1127469595072258049
...dove leggo (la "riformattazione e' la mia):
----------------------------------------------------
Q: How to block #DNS #DoH from an enterprise point of view?
A: *Decrypt all outbound SSL/TLS* [...and...] filter out http-req-headers =
application/dns-message.
We implemented this on our Palo FW.
Note: Each DoH message is 4K
----------------------------------------------------
Non mi e' chiaro come sia possibile "Decrypt all outbound SSL/TLS" senza
interventi "invasivi" e "indolori" per l'utenza finale (nel mio caso: un
Ateneo).
Saluti,
DV
--
Damiano Verzulli
e-mail: damiano@verzulli.it
---
possible?ok:while(!possible){open_mindedness++}
---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
-------------- parte successiva --------------
Un allegato HTML è stato rimosso...
URL: <http://lists.itnog.it/pipermail/itnog/attachments/20190513/e5c6cc1e/attachment.html>
-------------- parte successiva --------------
Un allegato non testuale è stato rimosso....
Nome: signature.asc
Tipo: application/pgp-signature
Dimensione: 195 bytes
Descrizione: OpenPGP digital signature
URL: <http://lists.itnog.it/pipermail/itnog/attachments/20190513/e5c6cc1e/attachment.sig>
Maggiori informazioni sulla lista
itnog