Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Question: Does category filtering use SNI data inspection?

Follow
Avatar
JeeHaa
  • Edited

I am just wondering how appliaction traffic category filtering works exactly? 

Maybe:

  1. Fqdn's from SNI data in TLS (not talking about TLS termination)
  2. DNS lookups
  3. IP flow "guessing"?

1) Is probably most reliable for application traffic. But a lot of traffic nowadays is fully encrypted using QUIC on UDP/443, not allowing SNI inspection any more. 

So would a best practice be to block UDP/443 to make sure SNI headers can be used for web category filtering?

2) In our home most mobile Android devices use private dns (DOT UDP/853) since that also works great for ad blocking when away from home on mobile data. I also think some devices/applications may use a hardcoded DOH dns ratther than FW IP assigned from dhcp?

I tried blocking UDP/853 to force clients to fallback to regular dns that FW can intercept/inspect, but that didn't work too well because the Android devices started complaining visibly that "Private DNS" was not working. :)

 

 

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Firewalla

    Firewalla does all three methods. 

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post