What's happening on your network (Do you know?)

Ips / ids for a home user who, if not providing the service to the world, will be of little use. imho :wink:

Snort and the rest of the solutions make sense in 2022 if we open encrypted traffic and then the analysis is performed. Analyzing encrypted traffic is very limited, not to say the least effective.

However, when we do not open our network to the world, there is no need to use ips / ids unless the user knows what he is doing. imho

I can recommend a relatively simple rule for the soho segment network. Block all inbound, only allow specific outbound traffic.
Much also depends on the resources that the user has at his disposal. VLAN, IDS / IPS are all nice toys but not everyone in soho will have such resources.

I understand that we are talking about a home network and not something corporate?

On the LAN-WAN, activate the firewall. And here you block all traffic coming to the LAN. At the same time, you allow a certain type of outgoing traffic and / or allow everything (I don’t).
On this firewall you can block outgoing traffic for ports 53 and 853. If you want to restrict external DNS access for devices in LAN.

Via DHCP you can broadcast your DNS, pihole / pfng… to devices on the LAN.

On every device on which it is technically possible, also run a local firewall and use a similar network traffic policy. Block all inbound and only allow specific outbound traffic.

As for blocking DOH… at the moment, there are still few devices that prefer such communication with dns, so you probably shouldn’t have a lot of such devices on the LAN. But if it is your will to block DOH… As mentioned before, you can block ip / domains to DOH resources. You can do it both locally per device and centrally lan-wan.

On the other hand, if some device does not need to have access to TCP 443, just block it all traffic.

In general, blocking DOH communication is not that simple without deep packet inspection. A simple method is to filter the known public DOH.

2 Likes