Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] An option to always return NXDOMAIN for TYPE65 (HTTPS) query #7607

Open
3 tasks done
SukkaW opened this issue Jan 31, 2025 · 0 comments
Open
3 tasks done

[Feature Request] An option to always return NXDOMAIN for TYPE65 (HTTPS) query #7607

SukkaW opened this issue Jan 31, 2025 · 0 comments
Labels
feature request

Comments

@SukkaW
Copy link

SukkaW commented Jan 31, 2025

Prerequisites

  • I have checked the Wiki and Discussions and found no answer

  • I have searched other issues and found no duplicates

  • I want to request a feature or enhancement and not ask a question

The problem

Enterprise network needs IDS/IPS to meet the PCI-DSS (and many other security) requirements. This includes sniffing plain client hello to get the domain name from the HTTPS connection. ECH (Encrypted Client Hello) breaks that.

Per https://developers.cloudflare.com/ssl/edge-certificates/ech/, it is possible to disable ECH in browsers like Chrome by simply returning NXDOMAIN to TYPE65 (HTTPS) DNS query.

Proposed solution

Add an option to AdGuardHome to return all NXDOMAIN to TYPE65 (HTTPS) DNS query.

Alternatives considered and additional information

Haven't tested this out yet, but this rule might work, I don't know:

||*^$dnstype=HTTPS|TYPE65,dnsrewrite=NXDOMAIN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SukkaW