搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

DNS over HTTPS results in Little Snitch prompting for permissions for unknown numeric IPs — how can a user make judgments about whether to connect?

more options

I use Little Snitch as a firewall. It prompts for a yes/no on each connection that is about to be made. The only way I know of to make an informed decision in each case is to see the servers requesting a connection, of which there are many for each page request. When using DoH, these become numeric IP addresses, about which I know nothing, other than looking them up with Terminal nslookup, the first several of which turned out to be:

23.193.33.57 a23-193-33-57.deploy.static.akamaitechnologies.com. 172.217.7.4 lga25s56-in-f4.1e100.net. 4.7.217.172.in-addr.arpa namelga25s56-in-f4.1e100.net. 52.216.205.35 s3-1-w.amazonaws.com. 13.225.222.73 server-13-225-222-73.jfk51.r.cloudfront.net. 142.250.64.99 lga34s31-in-f3.1e100.net.

None of these was directly related to what I was trying to do, though cloudfront and akamai are frequent flyers. So I don't know if these were encrypted-DNS servers (though only cloudfront is supposed to be a default) or participant in the page I was attempting to reach.

This is clearly not a practical way to use a browser. It would appear that I will have to have DoH turned off in order to use the firewall. Is anyone else having this issue? Is there any other solution other than turning DoH off?

Thanks for any help.

I use Little Snitch as a firewall. It prompts for a yes/no on each connection that is about to be made. The only way I know of to make an informed decision in each case is to see the servers requesting a connection, of which there are many for each page request. When using DoH, these become numeric IP addresses, about which I know nothing, other than looking them up with Terminal nslookup, the first several of which turned out to be: 23.193.33.57 a23-193-33-57.deploy.static.akamaitechnologies.com. 172.217.7.4 lga25s56-in-f4.1e100.net. 4.7.217.172.in-addr.arpa namelga25s56-in-f4.1e100.net. 52.216.205.35 s3-1-w.amazonaws.com. 13.225.222.73 server-13-225-222-73.jfk51.r.cloudfront.net. 142.250.64.99 lga34s31-in-f3.1e100.net. None of these was directly related to what I was trying to do, though cloudfront and akamai are frequent flyers. So I don't know if these were encrypted-DNS servers (though only cloudfront is supposed to be a default) or participant in the page I was attempting to reach. This is clearly not a practical way to use a browser. It would appear that I will have to have DoH turned off in order to use the firewall. Is anyone else having this issue? Is there any other solution other than turning DoH off? Thanks for any help.

所有回覆 (1)

more options

I am not familiar with how Little Snitch works, so I am speculating here.

My guess would be when MacOS does the DNS lookup (in clear text), Little Snitch keeps track of the responses so it can match up IP addresses to recently requested host names. When DNS over HTTPS is used, the requests are encrypted, so Little Snitch isn't able to gather that data. Therefore, it can't show you its guess as to the host name corresponding to a particular IP address. If that is the situation I think you need to choose one or the other.