kajer :notverified:Had to push firewall policy today stating that mask.apple-dns.net is NOT spyware, and to exclude that domain from the threat logs and to NOT drop that traffic.
:(
B05H@bosh when ELT comes over with "this has been happening for a while, but now I'm sick of dealing with it"
@bosh Palo Alto was right to block apple dns, and apple doesn't have a robust mechanism to deal with dns timeouts so safari and firefox fail to load pages on the first attempt.
Meanwhile chrome using DoH by default be going through.
John TimaeusI wasn't aware of this until now. Is this another "we don't want anyone else tracking you" scheme like most browsers defaulting to DoH to corporate DNS servers?
@johntimaeus it's a icloud privacy thing? it's well-meaning purpose is to prevent dns leakage if using tunnels IIRC?
Just an old guy screaming at clouds:
If I'm protecting a network, all DNS goes through me. And I run a proper caching server that only believes in root servers.
I generally am against overcontrolling client devices, but they better not be trying to DoH, or hide lookups, because that's one of the easy buttons for detection of stupid breaches.
da_667@johntimaeus @kajer I can appreciate this stance. "You use the DNS I have set up, or you don't go anywhere."
The Psychotic Network Ferret
gary
Internet Rando@johntimaeus @da_667 @kajer The backend dns hosts internal network names. Pi-hole is for the family DNS.
(Mainly so I can take down one or the other (maintenance, upgrades, etc) without affecting service)
Yay overly complicated home labs! 😁
OutsideCasey@johntimaeus @kajer to be honest, for work or school networks, blocking the iCloud privacy and DoH stuff is reasonable. Want to go somewhere else for DNS, no no, everything is funneled to our DNS infra.
@johntimaeus I fully agree, and my objection has been "noted"
AMS