Country/Region

For devices that cannot block the QUIC protocol, use temporary workarounds on the device

2024-12-31 17:08:06 Published
  • 0 Followed
  • 0Collected ,2531Browsed
Henry_j18222

Network Topology

Null

Problem Description

QUIC protocol can't be blocked.

Process Analysis

1. Use domain name blocking.

First, enable the DNS snooping command in the command line.

Second, create a new object group in [Objects->Object Groups->IPv4 Address Object Groups]

You can enable DNS aging to prevent cache from aging and causing false positives.

Then, via[Policies->Security Policies-> Security Policies], create a new security policy that references the new created IPv4 object group. If the interface references VRF, you also need to create a VRF blocking policy.

The defects of using domain name blocking are as follows:

1) When using the domain name blocking function, the terminal's DNS traffic must also pass through the firewall, and the firewall records the address locally, otherwise it will not take effect

2) This function intercepts the destination IP based on the IP address returned by the DNS message. If the IP address of a domain name is the same as the domain name to be intercepted, it will cause erroneous interception.


Solution

Refer to the analyzing process.

Total score:   
Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted