• Products
    • CurrentWare Suite
      • AccessPatrol
        Device Control & DLP
      • BrowseControl
        Web Filter & App Blocker
      • BrowseReporter
        Workforce Analytics & Productivity
      • enPowerManager
        Power Control & Logon Tracking
    • Overview
      • Buy Now
      • Case Studies
      • Find a Reseller
      • Platform Security
      • Request a Demo
      • Self-Guided Demo
      • Reviews & Awards
  • Solutions
    • By Use Case
      • Employee Monitoring Software
      • Computer Activity Monitoring
      • Data Loss Prevention
      • Employee Investigations
      • Employee Productivity
      • Insider Threats
      • Internet Management
      • Remote Workforce
      • Security Compliance
      • Software License Optimization
      • Workforce Optimization
      • More Use Cases
    • By Industry
      • Financial Services
      • Government
      • Healthcare
      • Legal Services
      • Managed Service Providers
      • Manufacturing
      • Schools & Libraries
      • Small Business
  • Customers
    • Our Customers
      • Case Studies
      • Reviews & Awards
    • Customer Success
      • Onboarding Guide
      • Knowledge Base
      • Contact Support
      • System Requirements
  • Resources
    • Featured Resources
      • Employee Monitoring Starter Kit
      • Offboarding Data Security Guide
      • Internet Use Policy Template
      • Removable Media Policy Template
      • User Monitoring Policy Template
    • More Resources
      • Knowledge Base
      • Upgrade Deployment
      • Release Notes
      • Blog Articles
      • CurrentWare Videos
      • More Templates
  • Pricing
  • 1-888-912-9619
  • Contact Sales
  • Get Started for Free
  • Products
    • CurrentWare Suite
      • AccessPatrol
        Device Control & DLP
      • BrowseControl
        Web Filter & App Blocker
      • BrowseReporter
        Workforce Analytics & Productivity
      • enPowerManager
        Power Control & Logon Tracking
    • Overview
      • Buy Now
      • Case Studies
      • Find a Reseller
      • Platform Security
      • Request a Demo
      • Self-Guided Demo
      • Reviews & Awards
  • Solutions
    • By Use Case
      • Employee Monitoring Software
      • Computer Activity Monitoring
      • Data Loss Prevention
      • Employee Investigations
      • Employee Productivity
      • Insider Threats
      • Internet Management
      • Remote Workforce
      • Security Compliance
      • Software License Optimization
      • Workforce Optimization
      • More Use Cases
    • By Industry
      • Financial Services
      • Government
      • Healthcare
      • Legal Services
      • Managed Service Providers
      • Manufacturing
      • Schools & Libraries
      • Small Business
  • Customers
    • Our Customers
      • Case Studies
      • Reviews & Awards
    • Customer Success
      • Onboarding Guide
      • Knowledge Base
      • Contact Support
      • System Requirements
  • Resources
    • Featured Resources
      • Employee Monitoring Starter Kit
      • Offboarding Data Security Guide
      • Internet Use Policy Template
      • Removable Media Policy Template
      • User Monitoring Policy Template
    • More Resources
      • Knowledge Base
      • Upgrade Deployment
      • Release Notes
      • Blog Articles
      • CurrentWare Videos
      • More Templates
  • Pricing
  • 1-888-912-9619
  • Contact Sales
  • Get Started for Free

What is DNS over HTTPS (DoH) & How to Stop Users From Bypassing Your Web Filter

September 1, 2020
DNS-Over-HTTPS (DoH): How to Stop USers from Bypassing Your Web Filter - CurrentWare

Web browsers that support DNS over HTTPS (DoH) can allow employees and students to bypass network-level web filtering policies. In this article I will overview what DoH is and provide solutions for preventing your users from bypassing your company’s web filter.

What is DNS over HTTPS (DoH)?

At its core, DNS-over-HTTPS (DoH) works just like a standard DNS resolution. When a user attempts to visit a domain (e.g. CurrentWare.com), it sends a query to a DNS server to get the IP address of the server that hosts the website. DoH takes that very same process and uses the Hypertext Transfer Protocol Secure (HTTPS) protocol to make an encrypted DNS request that hides domain requests from inspection. 

The intention of DoH is to increase the privacy of users by reducing the data available to ISPs and other providers, however it has inadvertently caused problems in corporate environments that use DNS-based web filters. 

Why is DNS over HTTPS a problem for web filters?

DNS web filters need to identify the website that the user is visiting in order to perform content filtering. Encryption through DNS over HTTPS has caused many DNS content filtering implementations to fail as they are unable to successfully identify the websites visited. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic as a result of this.

If a DNS web filter is being used to block access to websites that are malicious, distracting, or otherwise high-risk or inappropriate, DoH can be used to bypass internet restriction policies. This can pose serious endpoint security, network security, and productivity concerns for businesses that use web filtering to control employee internet access. 

For environments where DoH is disabled by default there is the threat that tech-savvy users can enable DoH to access websites that are blocked as part of the organization’s cybersecurity and acceptable use policies. 

For enterprises, DoH has been a nightmare ever since it’s been proposed. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings and allows employees to use DoH to bypass any DNS-based traffic filtering solutions

Catalin Cimpanu, ZDNet

How to Stop DoH From Interfering With Web Filters

1. Block browsers that use DoH

screenshot of BrowseControl's application blocker

Mozilla Firefox enables DNS over HTTPS by default. By proactively blocking Firefox from being used on company devices you can prevent users from easily bypassing your web filtering policies by enabling DoH. Unfortunately, if your environment does not have the means to restrict users from modifying application and computer settings there are ways they can enable DoH in Opera, Chrome, Edge, and Vivaldi. 

The expansion of DoH and related technologies such as DNS over TLS (DoT) is a trend in networking that is expected to continue gaining traction. Blocking browsers that force DoH by default may work in the short term but it is not a viable solution for the long term.

2. Use an agent-based web filter instead (endpoint-based web filters)

Agent-based web filters are unaffected by DNS-over-HTTPS. These solutions do not rely on DNS to perform web filtering. Instead, a software agent is installed directly on the endpoint device. This allows web filtering to occur at the browser level before DoH has an opportunity to hide the website being visited by students, patrons, or employees in a professional environment. 

For companies that rely on inspecting DNS web traffic to enforce their acceptable use policies, agent-based internet monitoring software can continue to track employee web activity on browsers that use DoH and other forms of DNS-based encryption.

If you would like to try for yourself, follow these instructions to enable DoH and see if it successfully bypasses your DNS web filter. You can then try our agent-based web filtering and internet monitoring software for free for a live proof-of-concept.  

Configure Your Networks to Disable DNS Over HTTPS

Companies using some sort of filtering via the default DNS resolver need to disable DoH on their network to prevent interference with their web filtering policies. Using canary domains you can signal to web browsers that use DoH that you would like to disable DoH on your network.

Unfortunately according to Firefox’s instructions for disabling DoH, “If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.” For this reason the use of endpoint web filtering software is still preferred.

  • Firefox Instructions
  • Microsoft Edge admx template
  • Disable DoH in Chrome
  • How to Enable or Disable DNS over HTTPS (DoH) in Microsoft Edge Chromium

Start Blocking Websites Today Learn More

Related posts

Guide title: How to Disable USB Ports on Windows 11, The Complete Guide. A computer monitor displays a symbol of a USB stick with a red circle and slash through it.
July 29, 2025

How to Disable USB Ports on Windows 11: The Complete Guide (2025)


Read more
July 28, 2025

What is Data Loss Prevention (DLP) & Why It Matters for Your Business


Read more

CurrentWare's data loss prevention, productivity, and security software gives you advanced control and visibility over technology use in your organization

1-888-912-9619

  • Products
    • CurrentWare Suite
    • AccessPatrol
    • BrowseControl
    • BrowseReporter
    • enPowerManager
  • Solutions
    • Data Loss Prevention
    • Employee Monitoring
    • Endpoint Security
    • Insider Threats
    • Managed Service Providers
    • Monitor Productivity
    • Office Attendance Tracking
    • Remote Workers
    • Security Compliance
    • Software License Optimization
    • Staff Investigations
    • User Activity Monitoring
    • Web Management
    • More Solutions
  • Learn
    • Block Internet Access
    • Block USB
    • Monitoring Guide
    • Monitor Web Use
    • Monitor WFH Staff
      • COMPARISONS
    • ActivTrak Alternative
    • Teramind Alternative
    • Insightful Alternative
    • More Comparisons
  • Resources
    • Join Our Newsletter!
    • Cloud Deployment
    • Find a Reseller
    • Knowledge Base
    • Onboarding
    • Release Notes
    • System Requirements
      • DEMOS
    • Free Trial
    • Overview Video
    • Request Demo
    • Self-Guided Demo
  • Company
    • About Us
    • Case Studies
    • Be a Reseller
    • MSP Program
    • Get a Quote
    • Contact Us
    • Platform Security
2025 CurrentWare. All Rights Reserved. Based in North America
|
Sitemap
|
Privacy Policy
|
Terms of Service