7 comments

[ 4.6 ms ] story [ 29.1 ms ] thread
Sounds like they're either sitting on something, or are grumpy that they lost access / visibility
I think their point has merit. It isn't don't use DoH, it is don't use DoH outside your network and outside your control as it has been/can be exploited by 3rd parties. CISA, as the article points out, made the same argument, it isn't that DoH is bad, it is that a 3rd party DoH provider can actually do malicious things hidden from the IT admins and staff, making identifying a malicious endpoint the user was served via DNS harder.

I am not above thinking any government agency might put out disinformation to protect a source/access, but this one seems like a reasonable position to take on security.

Agreed. DoH seems good for personal privacy (i.e. hides the um... meditation sites), but when it comes to enterprises, administrators will have no way of knowing what sites their users are actually being directed to.
So am I reading this right? Run all your user traffic to a self hosted DoH server and forward those requests to another DoH? To protect my users from the bad guys hiding their traffic in DoH, how would I detect the bad guys passing DoH traffic on my server?

I’m asking because I’m looking to do this for my users whenever we get back to the office.

You are picking the trusted server you forward to. The idea is to prevent your users from just pointing to some random DoH server on the internet.
Is it just me or the headline is the complete opposite of the actual message here?
(comment deleted)