Rooba
/
mitmproxy
mirror of https://github.com/mitmproxy/mitmproxy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mitmproxy/examples/contrib/block_dns_over_https.py

360 lines
10 KiB
Python
Raw Normal View History

example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
"""
This module is for blocking DNS over HTTPS requests.
It loads a blocklist of IPs and hostnames that are known to serve DNS over HTTPS requests.
It also uses headers, query params, and paths to detect DoH (and block it)
"""
Bump the github-actions group with 3 updates (#6701) Bumps the github-actions group with 3 updates: [install-pinned/ruff](https://github.com/install-pinned/ruff), [apple-actions/import-codesign-certs](https://github.com/apple-actions/import-codesign-certs) and [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action). Updates `install-pinned/ruff` from fe472defb50a6a2c00ea3a3982534e86e69991e8 to 38b373a3a8635c2be31d92314e816a491fda910a <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/install-pinned/ruff/commit/38b373a3a8635c2be31d92314e816a491fda910a"><code>38b373a</code></a> update README.md (ruff 0.3.0)</li> <li><a href="https://github.com/install-pinned/ruff/commit/06af3ea1c373cd2677585074ab30c71d85424629"><code>06af3ea</code></a> update pins (ruff 0.3.0)</li> <li><a href="https://github.com/install-pinned/ruff/commit/be1c354876e78dc826f323b569172d562e94c34a"><code>be1c354</code></a> update README.md (ruff 0.2.2)</li> <li><a href="https://github.com/install-pinned/ruff/commit/c9779bbd5bbeee0bd30ec6af46435bb50983da6e"><code>c9779bb</code></a> update pins (ruff 0.2.2)</li> <li><a href="https://github.com/install-pinned/ruff/commit/48831a86ce1ccf6386ae7e04eb47efc8780b4b5e"><code>48831a8</code></a> update README.md (ruff 0.2.1)</li> <li><a href="https://github.com/install-pinned/ruff/commit/6775b5f352f196b7b074ede5706349427b9598bf"><code>6775b5f</code></a> update pins (ruff 0.2.1)</li> <li><a href="https://github.com/install-pinned/ruff/commit/bc12a64c2f0fd73d270f1b96fecb9f7706478bff"><code>bc12a64</code></a> update README.md (ruff 0.2.0)</li> <li><a href="https://github.com/install-pinned/ruff/commit/3b8cceff45bcd350eb966a5122a8a258775944d3"><code>3b8ccef</code></a> update pins (ruff 0.2.0)</li> <li>See full diff in <a href="https://github.com/install-pinned/ruff/compare/fe472defb50a6a2c00ea3a3982534e86e69991e8...38b373a3a8635c2be31d92314e816a491fda910a">compare view</a></li> </ul> </details> <br /> Updates `apple-actions/import-codesign-certs` from 5565bb656f60c98c8fc515f3444dd8db73545dc2 to 493007ed063995cf2d4fbca064704150548f8bb5 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Apple-Actions/import-codesign-certs/commit/493007ed063995cf2d4fbca064704150548f8bb5"><code>493007e</code></a> Merge pull request <a href="https://redirect.github.com/apple-actions/import-codesign-certs/issues/62">#62</a> from himself65/patch-1</li> <li><a href="https://github.com/Apple-Actions/import-codesign-certs/commit/2e5aa07267146829e3b8877c13292e75e21b7c8d"><code>2e5aa07</code></a> Update README.md</li> <li>See full diff in <a href="https://github.com/apple-actions/import-codesign-certs/compare/5565bb656f60c98c8fc515f3444dd8db73545dc2...493007ed063995cf2d4fbca064704150548f8bb5">compare view</a></li> </ul> </details> <br /> Updates `docker/setup-buildx-action` from 3.0.0 to 3.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's releases</a>.</em></p> <blockquote> <h2>v3.1.0</h2> <ul> <li><code>cache-binary</code> input to enable/disable caching binary to GHA cache backend by <a href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/300">docker/setup-buildx-action#300</a></li> <li>build(deps): bump <code>@​babel/traverse</code> from 7.17.3 to 7.23.2 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/282">docker/setup-buildx-action#282</a></li> <li>build(deps): bump <code>@​docker/actions-toolkit</code> from 0.12.0 to 0.17.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/281">docker/setup-buildx-action#281</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/284">docker/setup-buildx-action#284</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/299">docker/setup-buildx-action#299</a></li> <li>build(deps): bump uuid from 9.0.0 to 9.0.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/271">docker/setup-buildx-action#271</a></li> <li>build(deps): bump undici from 5.26.3 to 5.28.3 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/297">docker/setup-buildx-action#297</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.0.0...v3.1.0">https://github.com/docker/setup-buildx-action/compare/v3.0.0...v3.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/setup-buildx-action/commit/0d103c3126aa41d772a8362f6aa67afac040f80c"><code>0d103c3</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/300">#300</a> from crazy-max/cache-binary</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/f19477aacd2ccdd80bdd9fbec62762494a0a767e"><code>f19477a</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/a4180f835da34b09329293a0b481b5666f80fe81"><code>a4180f8</code></a> cache-binary input to enable/disable caching binary to GHA cache backend</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/524315340de4f701033248e1ee6a0197904b1134"><code>5243153</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/299">#299</a> from docker/dependabot/npm_and_yarn/docker/actions-to...</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/3679a540239bdf202e26eeb4431159bcdea9c39c"><code>3679a54</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/37a22a2fb2c4ebcab21ecf45608143b890d732c1"><code>37a22a2</code></a> build(deps): bump <code>@​docker/actions-toolkit</code> from 0.14.0 to 0.17.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/65afe610a110d2c4d102a28949259935a323043c"><code>65afe61</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/297">#297</a> from docker/dependabot/npm_and_yarn/undici-5.28.3</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/fcb8f722fd7e9a83a2f57fc6c9124259661542f3"><code>fcb8f72</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/f62b9a17c0f199a60048d54f30e75f61af13aa85"><code>f62b9a1</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/298">#298</a> from crazy-max/bump-gha</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/74c5b717e5e6f00c85a46548cbc0bfd7016969c6"><code>74c5b71</code></a> bump codecov/codecov-action from 3 to 4</li> <li>Additional commits viewable in <a href="https://github.com/docker/setup-buildx-action/compare/f95db51fddba0c2d1ec667646a06c2ce06100226...0d103c3126aa41d772a8362f6aa67afac040f80c">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2024-03-06 20:54:11 +00:00
switch to stdlib logging mitmproxy previously used a homegrown logging mechanism based around `mitmproxy.ctx.log` and the `add_log` hook. This worked well for everything we control, but does not work outside the mitmproxy universe. For now we have simply ignored logging in e.g. tornado or h2, but with the upcoming introduction of mitmproxy_wireguard we now have a dependency on some Rust/PyO3 code for which we definitely want logs, but which also cannot easily be changed to use our homegrown logging (PyO3 does the heavy lifting to add interoperability with stdlib logging). Long story short, we want to introduce a log handler for stdlib logging. Now there are two ways how such a handler could operate: 1. We could build a handler that forwards all stdlib log events into our homegrown mechanism. 2. We embrace stdlib's logging as the correct way to do things, and get rid of our homegrown stuff. This PR follows the second approach by removing the `add_log` hook and rewriting the `TermLog` and `EventStore` addons to listen for stdlib log records. This means that all `mitmproxy.ctx.log.info` events are now simply `logging.info` etc. One upside of this approach is that many parts of the codebase now don't depend on the existence of `mitmproxy.ctx` and we can use off-the-shelf things like pytest's `caplog`. We can also now better colorize log output and/or add timestamps.
2022-09-17 13:41:54 +00:00
import logging
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
replace scraping and DNS lookups with static list
2020-04-05 03:18:58 +00:00
# known DoH providers' hostnames and IP addresses to block
broke up long line into multiple lines
2020-04-05 03:27:58 +00:00
default_blocklist: dict = {
"hostnames": [
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
"dns.adguard.com",
"dns-family.adguard.com",
"dns.google",
"cloudflare-dns.com",
"mozilla.cloudflare-dns.com",
"security.cloudflare-dns.com",
"family.cloudflare-dns.com",
"dns.quad9.net",
"dns9.quad9.net",
"dns10.quad9.net",
"dns11.quad9.net",
"doh.opendns.com",
"doh.familyshield.opendns.com",
"doh.cleanbrowsing.org",
"doh.xfinity.com",
"dohdot.coxlab.net",
"odvr.nic.cz",
"doh.dnslify.com",
"dns.nextdns.io",
"dns.dnsoverhttps.net",
"doh.crypto.sx",
"doh.powerdns.org",
"doh-fi.blahdns.com",
"doh-jp.blahdns.com",
"doh-de.blahdns.com",
"doh.ffmuc.net",
"dns.dns-over-https.com",
"doh.securedns.eu",
"dns.rubyfish.cn",
"dns.containerpi.com",
"dns.containerpi.com",
"dns.containerpi.com",
"doh-2.seby.io",
"doh.seby.io",
"commons.host",
"doh.dnswarden.com",
"doh.dnswarden.com",
"doh.dnswarden.com",
"dns-nyc.aaflalo.me",
"dns.aaflalo.me",
"doh.applied-privacy.net",
"doh.captnemo.in",
"doh.tiar.app",
"doh.tiarap.org",
"doh.dns.sb",
"rdns.faelix.net",
"doh.li",
"doh.armadillodns.net",
"jp.tiar.app",
"jp.tiarap.org",
"doh.42l.fr",
"dns.hostux.net",
"dns.hostux.net",
"dns.aa.net.uk",
"adblock.mydns.network",
"ibksturm.synology.me",
"jcdns.fun",
"ibuki.cgnat.net",
"dns.twnic.tw",
"example.doh.blockerdns.com",
"dns.digitale-gesellschaft.ch",
"doh.libredns.gr",
"doh.centraleu.pi-dns.com",
"doh.northeu.pi-dns.com",
"doh.westus.pi-dns.com",
"doh.eastus.pi-dns.com",
"dns.flatuslifir.is",
"private.canadianshield.cira.ca",
"protected.canadianshield.cira.ca",
"family.canadianshield.cira.ca",
"dns.google.com",
"dns.google.com",
broke up long line into multiple lines
2020-04-05 03:27:58 +00:00
],
"ips": [
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
"104.16.248.249",
"104.16.248.249",
"104.16.249.249",
"104.16.249.249",
"104.18.2.55",
"104.18.26.128",
"104.18.27.128",
"104.18.3.55",
"104.18.44.204",
"104.18.44.204",
"104.18.45.204",
"104.18.45.204",
"104.182.57.196",
"104.236.178.232",
"104.24.122.53",
"104.24.123.53",
"104.28.0.106",
"104.28.1.106",
"104.31.90.138",
"104.31.91.138",
"115.159.131.230",
"116.202.176.26",
"116.203.115.192",
"136.144.215.158",
"139.59.48.222",
"139.99.222.72",
"146.112.41.2",
"146.112.41.3",
"146.185.167.43",
"149.112.112.10",
"149.112.112.11",
"149.112.112.112",
"149.112.112.9",
"149.112.121.10",
"149.112.121.20",
"149.112.121.30",
"149.112.122.10",
"149.112.122.20",
"149.112.122.30",
"159.69.198.101",
"168.235.81.167",
"172.104.93.80",
"172.65.3.223",
"174.138.29.175",
"174.68.248.77",
"176.103.130.130",
"176.103.130.131",
"176.103.130.132",
"176.103.130.134",
"176.56.236.175",
"178.62.214.105",
"185.134.196.54",
"185.134.197.54",
"185.213.26.187",
"185.216.27.142",
"185.228.168.10",
"185.228.168.168",
"185.235.81.1",
"185.26.126.37",
"185.26.126.37",
"185.43.135.1",
"185.95.218.42",
"185.95.218.43",
"195.30.94.28",
"2001:148f:fffe::1",
"2001:19f0:7001:3259:5400:2ff:fe71:bc9",
"2001:19f0:7001:5554:5400:2ff:fe57:3077",
"2001:19f0:7001:5554:5400:2ff:fe57:3077",
"2001:19f0:7001:5554:5400:2ff:fe57:3077",
"2001:4860:4860::8844",
"2001:4860:4860::8888",
"2001:4b98:dc2:43:216:3eff:fe86:1d28",
"2001:558:fe21:6b:96:113:151:149",
"2001:608:a01::3",
"2001:678:888:69:c45d:2738:c3f2:1878",
"2001:8b0::2022",
"2001:8b0::2023",
"2001:c50:ffff:1:101:101:101:101",
"210.17.9.228",
"217.169.20.22",
"217.169.20.23",
"2400:6180:0:d0::5f73:4001",
"2400:8902::f03c:91ff:feda:c514",
"2604:180:f3::42",
"2604:a880:1:20::51:f001",
"2606:4700::6810:f8f9",
"2606:4700::6810:f9f9",
"2606:4700::6812:1a80",
"2606:4700::6812:1b80",
"2606:4700::6812:237",
"2606:4700::6812:337",
"2606:4700:3033::6812:2ccc",
"2606:4700:3033::6812:2dcc",
"2606:4700:3033::6818:7b35",
"2606:4700:3034::681c:16a",
"2606:4700:3035::6818:7a35",
"2606:4700:3035::681f:5a8a",
"2606:4700:3036::681c:6a",
"2606:4700:3036::681f:5b8a",
"2606:4700:60:0:a71e:6467:cef8:2a56",
"2620:10a:80bb::10",
"2620:10a:80bb::20",
"2620:10a:80bb::30" "2620:10a:80bc::10",
"2620:10a:80bc::20",
"2620:10a:80bc::30",
"2620:119:fc::2",
"2620:119:fc::3",
"2620:fe::10",
"2620:fe::11",
"2620:fe::9",
"2620:fe::fe:10",
"2620:fe::fe:11",
"2620:fe::fe:9",
"2620:fe::fe",
"2a00:5a60::ad1:ff",
"2a00:5a60::ad2:ff",
"2a00:5a60::bad1:ff",
"2a00:5a60::bad2:ff",
"2a00:d880:5:bf0::7c93",
"2a01:4f8:1c0c:8233::1",
"2a01:4f8:1c1c:6b4b::1",
"2a01:4f8:c2c:52bf::1",
"2a01:4f9:c010:43ce::1",
"2a01:4f9:c01f:4::abcd",
"2a01:7c8:d002:1ef:5054:ff:fe40:3703",
"2a01:9e00::54",
"2a01:9e00::55",
"2a01:9e01::54",
"2a01:9e01::55",
"2a02:1205:34d5:5070:b26e:bfff:fe1d:e19b",
"2a03:4000:38:53c::2",
"2a03:b0c0:0:1010::e9a:3001",
"2a04:bdc7:100:70::abcd",
"2a05:fc84::42",
"2a05:fc84::43",
"2a07:a8c0::",
"2a0d:4d00:81::1",
"2a0d:5600:33:3::abcd",
"35.198.2.76",
"35.231.247.227",
"45.32.55.94",
"45.67.219.208",
"45.76.113.31",
"45.77.180.10",
"45.90.28.0",
"46.101.66.244",
"46.227.200.54",
"46.227.200.55",
"46.239.223.80",
"8.8.4.4",
"8.8.8.8",
"83.77.85.7",
"88.198.91.187",
"9.9.9.10",
"9.9.9.11",
"9.9.9.9",
"94.130.106.88",
"95.216.181.228",
"95.216.212.177",
"96.113.151.148",
],
broke up long line into multiple lines
2020-04-05 03:27:58 +00:00
}
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
# additional hostnames to block
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
additional_doh_names: list[str] = ["dns.google.com"]
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
# additional IPs to block
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
additional_doh_ips: list[str] = []
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
doh_hostnames, doh_ips = default_blocklist["hostnames"], default_blocklist["ips"]
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
# convert to sets for faster lookups
doh_hostnames = set(doh_hostnames)
doh_ips = set(doh_ips)
def _has_dns_message_content_type(flow):
"""
Check if HTTP request has a DNS-looking 'Content-Type' header
:param flow: mitmproxy flow
:return: True if 'Content-Type' header is DNS-looking, False otherwise
"""
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
doh_content_types = ["application/dns-message"]
if "Content-Type" in flow.request.headers:
if flow.request.headers["Content-Type"] in doh_content_types:
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
return True
return False
fix lint errors
2020-03-05 05:06:27 +00:00
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
def _request_has_dns_query_string(flow):
"""
Check if the query string of a request contains the parameter 'dns'
:param flow: mitmproxy flow
:return: True is 'dns' is a parameter in the query string, False otherwise
"""
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
return "dns" in flow.request.query
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
fix lint errors
2020-03-05 05:06:27 +00:00
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
def _request_is_dns_json(flow):
"""
Check if the request looks like DoH with JSON.
The only known implementations of DoH with JSON are Cloudflare and Google.
For more info, see:
- https://developers.cloudflare.com/1.1.1.1/dns-over-https/json-format/
- https://developers.google.com/speed/public-dns/docs/doh/json
:param flow: mitmproxy flow
:return: True is request looks like DNS JSON, False otherwise
"""
# Header 'Accept: application/dns-json' is required in Cloudflare's DoH JSON API
# or they return a 400 HTTP response code
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
if "Accept" in flow.request.headers:
if flow.request.headers["Accept"] == "application/dns-json":
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
return True
# Google's DoH JSON API is https://dns.google/resolve
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
path = flow.request.path.split("?")[0]
if flow.request.host == "dns.google" and path == "/resolve":
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
return True
return False
fix lint errors
2020-03-05 05:06:27 +00:00
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
def _request_has_doh_looking_path(flow):
"""
Check if the path looks like it's DoH.
Most common one is '/dns-query', likely because that's what's in the RFC
:param flow: mitmproxy flow
:return: True if path looks like it's DoH, otherwise False
"""
doh_paths = [
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
"/dns-query", # used in example in RFC 8484 (see https://tools.ietf.org/html/rfc8484#section-4.1.1)
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
]
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
path = flow.request.path.split("?")[0]
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
return path in doh_paths
fix lint errors
2020-03-05 05:06:27 +00:00
blacklist -> blocklist
2020-07-04 10:09:51 +00:00
def _requested_hostname_is_in_doh_blocklist(flow):
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
"""
blacklist -> blocklist
2020-07-04 10:09:51 +00:00
Check if server hostname is in our DoH provider blocklist.
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
blacklist -> blocklist
2020-07-04 10:09:51 +00:00
The current blocklist is taken from https://github.com/curl/curl/wiki/DNS-over-HTTPS.
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
:param flow: mitmproxy flow
blacklist -> blocklist
2020-07-04 10:09:51 +00:00
:return: True if server's hostname is in DoH blocklist, otherwise False
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
"""
hostname = flow.request.host
ip = flow.server_conn.address
return hostname in doh_hostnames or hostname in doh_ips or ip in doh_ips
fix lint errors
2020-03-05 05:06:27 +00:00
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
doh_request_detection_checks = [
_has_dns_message_content_type,
_request_has_dns_query_string,
_request_is_dns_json,
blacklist -> blocklist
2020-07-04 10:09:51 +00:00
_requested_hostname_is_in_doh_blocklist,
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
_request_has_doh_looking_path,
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
]
fix lint errors
2020-03-05 05:06:27 +00:00
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
def request(flow):
for check in doh_request_detection_checks:
is_doh = check(flow)
if is_doh:
[autofix.ci] apply automated fixes
2022-11-29 13:28:41 +00:00
logging.warning(
'[DoH Detection] DNS over HTTPS request detected via method "%s"'
% check.__name__
)
example for blocking DNS queries over HTTPS
2020-03-05 04:16:02 +00:00
flow.kill()
break