I think their point has merit. It isn't don't use DoH, it is don't use DoH outside your network and outside your control as it has been/can be exploited by 3rd parties. CISA, as the article points out, made the same argument, it isn't that DoH is bad, it is that a 3rd party DoH provider can actually do malicious things hidden from the IT admins and staff, making identifying a malicious endpoint the user was served via DNS harder.
I am not above thinking any government agency might put out disinformation to protect a source/access, but this one seems like a reasonable position to take on security.
Agreed. DoH seems good for personal privacy (i.e. hides the um... meditation sites), but when it comes to enterprises, administrators will have no way of knowing what sites their users are actually being directed to.
So am I reading this right? Run all your user traffic to a self hosted DoH server and forward those requests to another DoH? To protect my users from the bad guys hiding their traffic in DoH, how would I detect the bad guys passing DoH traffic on my server?
I’m asking because I’m looking to do this for my users whenever we get back to the office.
7 comments
[ 4.6 ms ] story [ 29.1 ms ] threadI am not above thinking any government agency might put out disinformation to protect a source/access, but this one seems like a reasonable position to take on security.
I’m asking because I’m looking to do this for my users whenever we get back to the office.