Web browsers that support DNS over HTTPS (DoH) can allow employees and students to bypass network-level web filtering policies. In this article I will overview what DoH is and provide solutions for preventing your users from bypassing your company’s web filter.
At its core, DNS-over-HTTPS (DoH) works just like a standard DNS resolution. When a user attempts to visit a domain (e.g. CurrentWare.com), it sends a query to a DNS server to get the IP address of the server that hosts the website. DoH takes that very same process and uses the Hypertext Transfer Protocol Secure (HTTPS) protocol to make an encrypted DNS request that hides domain requests from inspection.
The intention of DoH is to increase the privacy of users by reducing the data available to ISPs and other providers, however it has inadvertently caused problems in corporate environments that use DNS-based web filters.
DNS web filters need to identify the website that the user is visiting in order to perform content filtering. Encryption through DNS over HTTPS has caused many DNS content filtering implementations to fail as they are unable to successfully identify the websites visited. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic as a result of this.
If a DNS web filter is being used to block access to websites that are malicious, distracting, or otherwise high-risk or inappropriate, DoH can be used to bypass internet restriction policies. This can pose serious endpoint security, network security, and productivity concerns for businesses that use web filtering to control employee internet access.
For environments where DoH is disabled by default there is the threat that tech-savvy users can enable DoH to access websites that are blocked as part of the organization’s cybersecurity and acceptable use policies.
For enterprises, DoH has been a nightmare ever since it’s been proposed. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings and allows employees to use DoH to bypass any DNS-based traffic filtering solutions
Catalin Cimpanu, ZDNet
Mozilla Firefox enables DNS over HTTPS by default. By proactively blocking Firefox from being used on company devices you can prevent users from easily bypassing your web filtering policies by enabling DoH. Unfortunately, if your environment does not have the means to restrict users from modifying application and computer settings there are ways they can enable DoH in Opera, Chrome, Edge, and Vivaldi.
The expansion of DoH and related technologies such as DNS over TLS (DoT) is a trend in networking that is expected to continue gaining traction. Blocking browsers that force DoH by default may work in the short term but it is not a viable solution for the long term.
Need to restrict internet access in your network? In this tutorial you will learn how to block websites using a free trial of BrowseControl, CurrentWare’s web content filtering software.
With BrowseControl you can…
Block websites based on URL, category, domain, or IP address
Schedule unique internet restrictions throughout the day
Assign custom policies for each group of computers or users,
and enforce internet usage policies, even when devices leave the network
There are 3 ways to block employee internet access with BrowseControl
1) Block access to specific websites with the Block List
2) Restrict internet access to only certain sites with the Allow List
3) Using the Category Filtering feature you can block access to content categories such as Porn, Virus Infected, or Social Media
For complete control over internet and application use in your network, you can combine BrowseControl with BrowseReporter, CurrentWare’s internet monitoring software.
All right, let’s get started.
To begin, sign up for a free trial of BrowseControl at CurrentWare.com/Download. After filling out the form you will be provided with the files you need to get started with BrowseControl.
To install BrowseControl, run CurrentWare.exe on the administrator’s computer and follow the installation instructions; this will install the CurrentWare Console and Server.
After that, deploy the CurrentWare Client Setup file (cwClientSetup.exe) on all of the computers you would like to control.
From there you can import your Active Directory organizational units or manually create your desired policy groups.
For full installation instructions, please visit our knowledge base at CurrentWare.com/Support.
Now that you have BrowseControl installed, I’ll show you how to block specific websites based on their URL, domain, or IP address with the URL Filter.
This feature can be used to block your employees from accessing distracting websites like Facebook, TikTok, or Instagram.
First, decide whether you want to control internet access based on users or computers and select the desired mode.
Next, click on the URL Filter then select “Blocked List”
From the drop-down menu, select the group of computers or users that you want to restrict
Enter the URL, domain, or IP address of the websites you want to block to the master URL list, then press the Enter key or click “Add”.
BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be blocked as well.
In the master URL list, select the websites you want to block for the chosen group, then click “Add to Blocked List”.
If you would like to add the selected websites to the block list of multiple groups, you can press the drop-down arrow and select “add to multiple groups”, select the desired groups, then click “add to blocked list”
If you have a large number of websites you would like to block, you can also use the import feature to import an existing list.
Finally, click “Apply to Clients”.
That’s it! You have now blocked your employees, students, or patrons from accessing those specific websites.
Next, I’ll show you how to restrict internet access to only certain sites.
This feature is ideal if you want to prevent your employees, students, or patrons from accessing websites that are not explicitly allowed by your organization.
The process is identical to how you would block a website, except this time you will set the internet to “off” and add the websites you would like to allow to the Allow List.
With this method, your users will only be able to access the exact websites that have been approved by your company.
Here are the full instructions.
First, decide whether you want to control internet access based on users or computers and select the desired mode.
Next, click on the URL Filter, then ensure that “Allowed List” is selected
From the drop-down menu, select the group of computers or users that you want to restrict
Next, set the internet to “Off”. This will ensure that only the websites that are added to the allowed list can be accessed.
Enter the URL, domain, or IP address of the website you want to allow to the master URL list, then press the Enter key or click “Add”. BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be allowed as well.
In the master URL list, select the websites you want to allow for the chosen group, then click “Add to Allowed List”
If you would like to add the selected websites to the Allowed list of multiple groups, you can press the drop-down arrow and select “Add to Multiple Groups”, select the desired groups, then click “Add to Allowed list”
If you have a large number of websites you would like to allow, you can also use the import feature to import an existing list.
Finally, click “Apply to Clients”.
Next, I’ll show you how to block websites based on content categories such as Porn, Virus Infected, and Social Media
With BrowseControl’s category filtering feature you can block billions of websites across over 100 URL categories. More than 10,000 new domains are added each day, making it simple to restrict internet access even as new sites emerge.
Here’s how:
First, decide whether you want to control internet access based on users or computers, then select the desired mode.
Next, click on “Category Filtering”
From the drop-down menu, select the group of computers or users that you want to restrict
Select the web content categories you would like to block, then click “Add to Blocked List”
Finally, click “Apply to Clients”.
That’s it!
The Allow List can also be used in tandem with the Category Filtering feature to allow websites that would otherwise be blocked based on their content category.
For example, you could use the Category Filtering feature to block Social Media while still allowing access to LinkedIn.
Now that you’ve seen the 3 key ways you can block a website with BrowseControl, I’d like to show you how to restrict internet access at certain times.
With BrowseControl’s Internet Scheduler you can schedule custom block or allow lists throughout the day.
This feature will bring some flexibility to your internet restriction policies; in this example, we will allow our employees to browse the internet during lunchtime.
Here’s how to use the internet scheduler
First, decide whether you want to control internet access based on users or computers and select the desired mode.
Next, click on “internet scheduler”
From the drop-down menu, select the group of computers or users that you want to restrict
Next, click “New Schedule”
Set the start and end time of the schedule. Then, select the schedule type.
Internet On will allow internet access to all websites that are not on the URL Block List
Custom allowed list will only allow access to specific websites.
Custom blocked list will block access to a specific list of websites and allow access to the rest of the internet.
Custom Category blocked list will block specific categories and allow access to the rest of the internet.
Next, set your desired schedule frequency.
Daily will enable the schedule every day during the specified time period.
Weekly will enable the schedule only on specific days of the week.
Monthly will enable the schedule only on specific months.
Next, click “Add Schedule”.
If you selected one of the custom block or allow list options, you can click the link provided under the “schedule type” column to set the websites or categories that you would like on the list.
And finally, click “Enable Scheduler” if it is not already enabled
That’s it for today. If you’re ready to start blocking websites you can get a free trial of BrowseControl at CurrentWare.com/Download.
If you have any questions during your evaluation our support team is available to help you over a phone call, live chat, or email.
See you next time!
Agent-based web filters are unaffected by DNS-over-HTTPS. These solutions do not rely on DNS to perform web filtering. Instead, a software agent is installed directly on the endpoint device. This allows web filtering to occur at the browser level before DoH has an opportunity to hide the website being visited by students, patrons, or employees in a professional environment.
For companies that rely on inspecting DNS web traffic to enforce their acceptable use policies, agent-based internet monitoring software can continue to track employee web activity on browsers that use DoH and other forms of DNS-based encryption.
If you would like to try for yourself, follow these instructions to enable DoH and see if it successfully bypasses your DNS web filter. You can then try our agent-based web filtering and internet monitoring software for free for a live proof-of-concept.
Companies using some sort of filtering via the default DNS resolver need to disable DoH on their network to prevent interference with their web filtering policies. Using canary domains you can signal to web browsers that use DoH that you would like to disable DoH on your network.
Unfortunately according to Firefox’s instructions for disabling DoH, “If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.” For this reason the use of endpoint web filtering software is still preferred.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |