How to block DoH without blocking other Cloudflare services: ngrep -K 100 http://cloudflare-dns.com 'dst 1.1.1.1 and tcp port 443' - Because SNI.
-
Show this thread
-
-
Replying to @rjsalts
Doesn’t ESNI already require a secure DNS connection to be established?
1 reply 0 retweets 0 likes -
Replying to @jedisct1
It requires the public key to be used to encrypt the SNI header in the handshake. That can be communicated via dns (draft rfc covers dns record format), but I'm not sure it has to be secure and you can cache for ages. It could also be "pinned" in DOH resolver software.
1 reply 0 retweets 1 like
Replying to @rjsalts
So the resolver’s public key would be included in the stamp. That’s funny.
6:05 AM - 17 Jul 2019
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.