What is DNS over HTTPS (DoH) & How to Stop Users From Bypassing Your Web Filter
Web browsers that support DNS over HTTPS (DoH) can allow employees and students to bypass network-level web filtering policies. In this article I will overview what DoH is and provide solutions for preventing your users from bypassing your company’s web filter.
What is DNS over HTTPS (DoH)?
At its core, DNS-over-HTTPS (DoH) works just like a standard DNS resolution. When a user attempts to visit a domain (e.g. CurrentWare.com), it sends a query to a DNS server to get the IP address of the server that hosts the website. DoH takes that very same process and uses the Hypertext Transfer Protocol Secure (HTTPS) protocol to make an encrypted DNS request that hides domain requests from inspection.
The intention of DoH is to increase the privacy of users by reducing the data available to ISPs and other providers, however it has inadvertently caused problems in corporate environments that use DNS-based web filters.
Why is DNS over HTTPS a problem for web filters?
DNS web filters need to identify the website that the user is visiting in order to perform content filtering. Encryption through DNS over HTTPS has caused many DNS content filtering implementations to fail as they are unable to successfully identify the websites visited. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic as a result of this.
If a DNS web filter is being used to block access to websites that are malicious, distracting, or otherwise high-risk or inappropriate, DoH can be used to bypass internet restriction policies. This can pose serious endpoint security, network security, and productivity concerns for businesses that use web filtering to control employee internet access.
For environments where DoH is disabled by default there is the threat that tech-savvy users can enable DoH to access websites that are blocked as part of the organization’s cybersecurity and acceptable use policies.
For enterprises, DoH has been a nightmare ever since it’s been proposed. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings and allows employees to use DoH to bypass any DNS-based traffic filtering solutions
Catalin Cimpanu, ZDNet
How to Stop DoH From Interfering With Web Filters
1. Block browsers that use DoH
Mozilla Firefox enables DNS over HTTPS by default. By proactively blocking Firefox from being used on company devices you can prevent users from easily bypassing your web filtering policies by enabling DoH. Unfortunately, if your environment does not have the means to restrict users from modifying application and computer settings there are ways they can enable DoH in Opera, Chrome, Edge, and Vivaldi.
The expansion of DoH and related technologies such as DNS over TLS (DoT) is a trend in networking that is expected to continue gaining traction. Blocking browsers that force DoH by default may work in the short term but it is not a viable solution for the long term.
2. Use an agent-based web filter instead (endpoint-based web filters)
Agent-based web filters are unaffected by DNS-over-HTTPS. These solutions do not rely on DNS to perform web filtering. Instead, a software agent is installed directly on the endpoint device. This allows web filtering to occur at the browser level before DoH has an opportunity to hide the website being visited by students, patrons, or employees in a professional environment.
For companies that rely on inspecting DNS web traffic to enforce their acceptable use policies, agent-based internet monitoring software can continue to track employee web activity on browsers that use DoH and other forms of DNS-based encryption.
If you would like to try for yourself, follow these instructions to enable DoH and see if it successfully bypasses your DNS web filter. You can then try our agent-based web filtering and internet monitoring software for free for a live proof-of-concept.
Configure Your Networks to Disable DNS Over HTTPS
Companies using some sort of filtering via the default DNS resolver need to disable DoH on their network to prevent interference with their web filtering policies. Using canary domains you can signal to web browsers that use DoH that you would like to disable DoH on your network.
Unfortunately according to Firefox’s instructions for disabling DoH, “If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.” For this reason the use of endpoint web filtering software is still preferred.
