Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I redirect all outbound TCP/UDP 53 traffic to my DNS servers. I can't do that with DoH, so into the blackhole it goes


Remember, if you can censor traffic at the network level, so can Comcast and China. Hopefully, there will eventually be a day when Microsoft, Google, Amazon, and CloudFlare all serve DoH from the same IPs they serve the rest of the websites they host from, so that it won't be feasible to block them anymore.


But they can run DoH on any server, they don't have to use CloudFlare or Google or whatever. So any port 80 connection is suspect. Same for any port 443 connection with DoT. Or any port whatsoever if they run their DNS (on any transport) on a "non-standard" port, which is not unheard of for such devices. DNS works on port 5353 just as well as it does on port 53. Redirecting outbound port 53 to your own servers has never been an effective way to stop devices from using their own DNS. DoH and DoT do make it harder to block (since they're authenticated), but even classic DNS can evade simple port-based redirection.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: