Hi Blason,

There are open source clients for iOS (DNSCloak) and Android (Intra) which use DoH (you will need to install a DoH proxy) but I’m not aware about free clients for Mac/Windows/Linux (may be because they have embedded clients which can be configured to use any 3rd party DNS :).
The main issue that bind does’t provide an authentication method. So in any case you somehow should manage the access to the DNS server vice versa it will became open resolver and will be used for DDoS attacks.

I would recommend you a few options here:
- Use a trial for any “paid” solutions. E.g. Infoblox offers 90 days free trial - i may be enough to pass the WFH stage;
- Require VPN back to your HQ and provision to automatically establish them;
- Install bind on these laptops and push RPZ feeds directly to them (zone transfer can be authenticated by using TSIG Keys). You may see issues if the feeds size >1m rules.
- Provide your employees VMs (if they have servers a home) or even Raspberry Pi to protect the whole home network (actually it is important). On my ioc2rpz community (https://ioc2rpz.net <https://ioc2rpz.net/>) you can take a look on RpiDNS installation script. It installs ICS Bind and provision my community RPZ feeds (you may replace it by your feeds), OpenResty for admin interface and a walled garden page + provision RSyslog. On Raspberry Pi Zero the installation takes about 10 minutes (demo video - https://www.youtube.com/watch?time_continue=2&v=942yKOGAwbU&feature=emb_logo <https://www.youtube.com/watch?time_continue=2&v=942yKOGAwbU&feature=emb_logo>).


BR,
Vadim

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:***@doh.example.com/dns-query


Daniel

Good idea. It may work. I’m using Intra for 1.5 years (with my DNS) and actually didn’t try it likely my DoH “old” proxy probably doesn’t support it.
With nginx it should be possible if these open source clients support it.
For Win/Mac/Linux there should be some open source DoH clients (backup will be using it just in browsers).

Vadim

I can do that - But


1. How can I control unauthorized use?
2. Since one its populated over Internet it can be used by any one right?
3. Plus from user end they can change the DNS to avoid protection.

Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann <

Thats a nice starting point -

https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/

But still looking for any client utility so that users can not shutdown or
can not suspend the service

If your users has admins permissions you probably will not find any open source tool which support that. For restricted accounts on Win - create policies.

BR,
Vadim

Nah those are regular users - And thinking to work on DoT Proxy and force
that through GPO for browsers.

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done

Hi,

AFAIK BIND is supported also on Windows. Would it be possible just to
install BIND service on local machine and configure it to download DLZ
zone from your servers. It could authenticate using ddns keys. And
forward would be also straightforward. As a bonus, they would get local
validating resolver.

I think that would be quite satisfying for their security, but would
prevent you from watching them too close. I think that would be an
advantage in sort, especially when they are in "private" mode.

Of course some scripts to configure the installation would be required,
because ordinary user does not want to configure BIND. Some smart
installer might be enough.

Regards,
Petr

Hmmm nice suggestion and appreciate that.

But it would too much for normal user looking for more simpler manner. Any
way if no option then will have to live with vpn option for now.