Hacker News new | past | comments | ask | show | jobs | submit login

> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...

A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.

This is something I implemented for an Android firewall app I co-develop; it works nicely enough.






  A firewall (which must also host a resolver)
Is that true? Per what spec are you referring to?

reply


ignoramous probably meant that in order to block access to all IP addresses that it has not recently resolved, the firewall must also host or communicate closely with a resolver. This is a tautology, not a spec.

reply


Ah, I definitely misread. Thanks!

reply


what app?

reply


https://github.com/celzero/rethink-app

reply




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: