topic Re: Block DoH providers on SMB in Spark Firewall (SMB)

Block DoH providers on SMB

HristoGrigorov — Thu, 12 Mar 2020 11:10:30 GMT

Hello SMB admins,

Inspired by this thread

https://community.checkpoint.com/t5/Access-Control-Products/How-to-deal-with-DNS-over-HTTPS-DNS-over-TLS-QUIC-and-PSOM/m-p/77082

I decided to play a bit and came up with a simple command to block DoH providers on SMB using 'sim dropcfg':

#!/bin/sh DB_FILE=/tmp/public-resolvers-doh.db curl_cli -sk https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json | jq '.[] | {addrs,proto:"DoH"}' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -n | uniq | awk '{print "dst " $0 " dport 443 proto 6"}' > $DB_FILE if [ $(stat -c %s $DB_FILE) == 0 ]; then echo "error: failed to download DoH providers list" rm -f $DB_FILE exit 1 fi echo "dst 1.1.1.1 dport 443 proto 6" >> $DB_FILE echo "dst 104.16.248.249 dport 443 proto 6" >> $DB_FILE echo "dst 8.8.4.4 dport 443 proto 6" >> $DB_FILE sim dropcfg -e -y -f $DB_FILE

This will only block DoH providers as DNScrypt ones have application recognition already. But if you need them too it is easy to adapt...

Use 'sim dropcfg -l' to check current stats.

Re: Block DoH providers on SMB

Sean_Roth — Wed, 11 Mar 2020 22:10:50 GMT

Great idea! I'll keep this in my toolbox. I think you meant to use this jq though: jq '.[] | select(.proto == "DoH") | .addrs'

Re: Block DoH providers on SMB

HristoGrigorov — Thu, 12 Mar 2020 04:25:23 GMT

Thanx! I am not exactly jq-master so I guess there is a better way to do it. This one seems to work fine as well.

Re: Block DoH providers on SMB

Martin_Valenta — Thu, 12 Mar 2020 09:53:29 GMT

Cool stuff, wondering why does it missing Cloudfare DNS (1.1.1.1), which responds on https too..

Re: Block DoH providers on SMB

HristoGrigorov — Thu, 12 Mar 2020 11:09:00 GMT

Thanx for reminding me. I forgot to add them. Modified the script a little...