Re: El Reg, I love you
"If they have an internal list (like Microsoft does), the resolution is done at localhost and can't be blocked."
If they have an internal list, then blocking is easily done by your firewall (which Microsoft has no access to or control of). Just drop all packets going to the IP addresses in the list.
"If the DNS is tunneled (such as via a VPN, which existed before DoH), how do they block the DNS attempt without blocking something legitimate?"
I'm not sure I understand your question. I can think of a number of different scenarios that you may be referring to, and each of them are handled a bit differently. Rather than write an essay covering everything, I'll punt and ask for a more precise question instead.
The new vulnerability DoH creates isn't so much a result of the encrypted communications channel as it is the creation of standard DoH resolvers, plus the standardization of pushing non-HTTP traffic through the HTTPS port. It was easier to detect unauthorized communications streams (such as a VPN connection) to alert me that I had an intrusion that had to be dealt with.
A similar (although less comprehensive) effect was always possible, but it was rarely done because it requires a bit of technical knowledge and it's hard to hide. The existence of DoH eliminates both of those speed bumps. DoH makes defense harder because it allows the use of "legitimate" DoH resolvers that can't be blocked without serious adverse consequences, and makes intrusion detection more difficult.
From my point of view, DoH doesn't provide much more DNS security than was already achievable using other methods, and introduces a rather large security problem that didn't exist before. That's why I not only consider DoH to be a Bad Thing, I consider it an active threat.
Biting the hand that feeds IT
