What is the best internet filter for businesses?

The best internet filter for businesses depends on your needs, but solutions like CurrentWare's BrowseControl offer advanced web filtering, category-based blocking, and policy enforcement for employee productivity and security

How do I disable USB ports on a Windows computer?

You can disable USB ports on a Windows computer using Device Manager, Group Policy Editor, or software solutions like CurrentWare's AccessPatrol, which provides centralized control over USB access.

How can I see what someone did on a computer?

You can view computer activity by checking browser history, recent files, event logs, or using monitoring software like CurrentWare’s BrowseReporter for detailed insights into user activity.

What is DNS over HTTPS (DoH) & How to Stop Users From Bypassing Your Web Filter

September 1, 2020

Web browsers that support DNS over HTTPS (DoH) can allow employees and students to bypass network-level web filtering policies. In this article I will overview what DoH is and provide solutions for preventing your users from bypassing your company’s web filter.

What is DNS over HTTPS (DoH)?

At its core, DNS-over-HTTPS (DoH) works just like a standard DNS resolution. When a user attempts to visit a domain (e.g. CurrentWare.com), it sends a query to a DNS server to get the IP address of the server that hosts the website. DoH takes that very same process and uses the Hypertext Transfer Protocol Secure (HTTPS) protocol to make an encrypted DNS request that hides domain requests from inspection.

The intention of DoH is to increase the privacy of users by reducing the data available to ISPs and other providers, however it has inadvertently caused problems in corporate environments that use DNS-based web filters.

Why is DNS over HTTPS a problem for web filters?

DNS web filters need to identify the website that the user is visiting in order to perform content filtering. Encryption through DNS over HTTPS has caused many DNS content filtering implementations to fail as they are unable to successfully identify the websites visited. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic as a result of this.

If a DNS web filter is being used to block access to websites that are malicious, distracting, or otherwise high-risk or inappropriate, DoH can be used to bypass internet restriction policies. This can pose serious endpoint security, network security, and productivity concerns for businesses that use web filtering to control employee internet access.

For environments where DoH is disabled by default there is the threat that tech-savvy users can enable DoH to access websites that are blocked as part of the organization’s cybersecurity and acceptable use policies.

For enterprises, DoH has been a nightmare ever since it’s been proposed. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings and allows employees to use DoH to bypass any DNS-based traffic filtering solutions
Catalin Cimpanu, ZDNet

How to Stop DoH From Interfering With Web Filters

1. Block browsers that use DoH

screenshot of BrowseControl's application blocker

Mozilla Firefox enables DNS over HTTPS by default. By proactively blocking Firefox from being used on company devices you can prevent users from easily bypassing your web filtering policies by enabling DoH. Unfortunately, if your environment does not have the means to restrict users from modifying application and computer settings there are ways they can enable DoH in Opera, Chrome, Edge, and Vivaldi.

The expansion of DoH and related technologies such as DNS over TLS (DoT) is a trend in networking that is expected to continue gaining traction. Blocking browsers that force DoH by default may work in the short term but it is not a viable solution for the long term.

2. Use an agent-based web filter instead (endpoint-based web filters)

Agent-based web filters are unaffected by DNS-over-HTTPS. These solutions do not rely on DNS to perform web filtering. Instead, a software agent is installed directly on the endpoint device. This allows web filtering to occur at the browser level before DoH has an opportunity to hide the website being visited by students, patrons, or employees in a professional environment.

For companies that rely on inspecting DNS web traffic to enforce their acceptable use policies, agent-based internet monitoring software can continue to track employee web activity on browsers that use DoH and other forms of DNS-based encryption.

If you would like to try for yourself, follow these instructions to enable DoH and see if it successfully bypasses your DNS web filter. You can then try our agent-based web filtering and internet monitoring software for free for a live proof-of-concept.

Configure Your Networks to Disable DNS Over HTTPS

Companies using some sort of filtering via the default DNS resolver need to disable DoH on their network to prevent interference with their web filtering policies. Using canary domains you can signal to web browsers that use DoH that you would like to disable DoH on your network.

Unfortunately according to Firefox’s instructions for disabling DoH, “If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.” For this reason the use of endpoint web filtering software is still preferred.

Start Blocking Websites Today Learn More

What is DNS over HTTPS (DoH)?

Why is DNS over HTTPS a problem for web filters?

How to Stop DoH From Interfering With Web Filters

1. Block browsers that use DoH

2. Use an agent-based web filter instead (endpoint-based web filters)

Configure Your Networks to Disable DNS Over HTTPS

Related posts

How to Disable USB Ports on Windows 11: The Complete Guide (2025)

What is Data Loss Prevention (DLP) & Why It Matters for Your Business