DNS over HTTPS (DoH): How to Stop Users From Bypassing Your Web Filter

DNS-Over-HTTPS (DoH): How to Stop USers from Bypassing Your Web Filter - CurrentWare

Web browsers that support DNS over HTTPS (DoH) can allow employees and students to bypass network-level web filtering policies. In this article I will overview what DoH is and provide solutions for preventing your users from bypassing your company’s web filter.

What is DNS over HTTPS (DoH)?

At its core, DNS-over-HTTPS (DoH) works just like a standard DNS resolution. When a user attempts to visit a domain (e.g. CurrentWare.com), it sends a query to a DNS server to get the IP address of the server that hosts the website. DoH takes that very same process and uses the Hypertext Transfer Protocol Secure (HTTPS) protocol to make an encrypted DNS request that hides domain requests from inspection. 

The intention of DoH is to increase the privacy of users by reducing the data available to ISPs and other providers, however it has inadvertently caused problems in corporate environments that use DNS-based web filters. 

Why is DNS over HTTPS a problem for web filters?

DNS web filters need to identify the website that the user is visiting in order to perform content filtering. Encryption through DNS over HTTPS has caused many DNS content filtering implementations to fail as they are unable to successfully identify the websites visited. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic as a result of this.

If a DNS web filter is being used to block access to websites that are malicious, distracting, or otherwise high-risk or inappropriate, DoH can be used to bypass internet restriction policies. This can pose serious endpoint security, network security, and productivity concerns for businesses that use web filtering to control employee internet access. 

For environments where DoH is disabled by default there is the threat that tech-savvy users can enable DoH to access websites that are blocked as part of the organization’s cybersecurity and acceptable use policies. 

For enterprises, DoH has been a nightmare ever since it’s been proposed. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings and allows employees to use DoH to bypass any DNS-based traffic filtering solutions

Catalin Cimpanu, ZDNet

How to Stop DoH From Interfering With Web Filters

1. Block browsers that use DoH

screenshot of BrowseControl's application blocker

Mozilla Firefox enables DNS over HTTPS by default. By proactively blocking Firefox from being used on company devices you can prevent users from easily bypassing your web filtering policies by enabling DoH. Unfortunately, if your environment does not have the means to restrict users from modifying application and computer settings there are ways they can enable DoH in Opera, Chrome, Edge, and Vivaldi. 

The expansion of DoH and related technologies such as DNS over TLS (DoT) is a trend in networking that is expected to continue gaining traction. Blocking browsers that force DoH by default may work in the short term but it is not a viable solution for the long term.

2. Use an agent-based web filter instead (endpoint-based web filters)

Need to restrict internet access in your network? In this tutorial you will learn how to block websites using a free trial of BrowseControl, CurrentWare’s web content filtering software.

With BrowseControl you can…

Block websites based on URL, category, domain, or IP address

Schedule unique internet restrictions throughout the day 

Assign custom policies for each group of computers or users,

and enforce internet usage policies, even when devices leave the network

There are 3 ways to block employee internet access with BrowseControl

1) Block access to specific websites with the Block List

2) Restrict internet access to only certain sites with the Allow List 

3) Using the Category Filtering feature you can block access to content categories such as Porn, Virus Infected, or Social Media 

For complete control over internet and application use in your network, you can combine BrowseControl with BrowseReporter, CurrentWare’s internet monitoring software.

All right, let’s get started.

To begin, sign up for a free trial of BrowseControl at CurrentWare.com/Download. After filling out the form you will be provided with the files you need to get started with BrowseControl.

To install BrowseControl, run CurrentWare.exe on the administrator’s computer and follow the installation instructions; this will install the CurrentWare Console and Server. 

After that, deploy the CurrentWare Client Setup file (cwClientSetup.exe) on all of the computers you would like to control. 

From there you can import your Active Directory organizational units or manually create your desired policy groups.

For full installation instructions, please visit our knowledge base at CurrentWare.com/Support. 

Now that you have BrowseControl installed, I’ll show you how to block specific websites based on their URL, domain, or IP address with the URL Filter.

This feature can be used to block your employees from accessing distracting websites like Facebook, TikTok, or Instagram.

First, decide whether you want to control internet access based on users or computers and select the desired mode.

Next, click on the URL Filter then select “Blocked List”

From the drop-down menu, select the group of computers or users that you want to restrict

Enter the URL, domain, or IP address of the websites you want to block to the master URL list, then press the Enter key or click “Add”. 

BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be blocked as well.

In the master URL list, select the websites you want to block for the chosen group, then click “Add to Blocked List”.

If you would like to add the selected websites to the block list of multiple groups, you can press the drop-down arrow and select “add to multiple groups”, select the desired groups, then click “add to blocked list”

If you have a large number of websites you would like to block, you can also use the import feature to import an existing list.

Finally, click “Apply to Clients”.

That’s it! You have now blocked your employees, students, or patrons from accessing those specific websites. 

Next, I’ll show you how to restrict internet access to only certain sites.

This feature is ideal if you want to prevent your employees, students, or patrons from accessing websites that are not explicitly allowed by your organization.

The process is identical to how you would block a website, except this time you will set the internet to “off” and add the websites you would like to allow to the Allow List.

With this method, your users will only be able to access the exact websites that have been approved by your company.

Here are the full instructions.

First, decide whether you want to control internet access based on users or computers and select the desired mode.

Next, click on the URL Filter, then ensure that “Allowed List” is selected

From the drop-down menu, select the group of computers or users that you want to restrict

Next, set the internet to “Off”. This will ensure that only the websites that are added to the allowed list can be accessed.

Enter the URL, domain, or IP address of the website you want to allow to the master URL list, then press the Enter key or click “Add”. BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be allowed as well.

In the master URL list, select the websites you want to allow for the chosen group, then click “Add to Allowed List”

If you would like to add the selected websites to the Allowed list of multiple groups, you can press the drop-down arrow and select “Add to Multiple Groups”, select the desired groups, then click “Add to Allowed list”

If you have a large number of websites you would like to allow, you can also use the import feature to import an existing list.

Finally, click “Apply to Clients”.

Next, I’ll show you how to block websites based on content categories such as Porn, Virus Infected, and Social Media 

With BrowseControl’s category filtering feature you can block billions of websites across over 100 URL categories. More than 10,000 new domains are added each day, making it simple to restrict internet access even as new sites emerge. 

Here’s how:

First, decide whether you want to control internet access based on users or computers, then select the desired mode.

Next, click on “Category Filtering”

From the drop-down menu, select the group of computers or users that you want to restrict

Select the web content categories you would like to block, then click “Add to Blocked List”

Finally, click “Apply to Clients”.

That’s it! 

The Allow List can also be used in tandem with the Category Filtering feature to allow websites that would otherwise be blocked based on their content category. 

For example, you could use the Category Filtering feature to block Social Media while still allowing access to LinkedIn.

Now that you’ve seen the 3 key ways you can block a website with BrowseControl, I’d like to show you how to restrict internet access at certain times.

With BrowseControl’s Internet Scheduler you can schedule custom block or allow lists throughout the day. 

This feature will bring some flexibility to your internet restriction policies; in this example, we will allow our employees to browse the internet during lunchtime.

Here’s how to use the internet scheduler

First, decide whether you want to control internet access based on users or computers and select the desired mode.

Next, click on “internet scheduler”

From the drop-down menu, select the group of computers or users that you want to restrict

Next, click “New Schedule”

Set the start and end time of the schedule. Then, select the schedule type.

Internet On will allow internet access to all websites that are not on the URL Block List

Custom allowed list will only allow access to specific websites.

Custom blocked list will block access to a specific list of websites and allow access to the rest of the internet.

Custom Category blocked list will block specific categories and allow access to the rest of the internet.

Next, set your desired schedule frequency.

Daily will enable the schedule every day during the specified time period.

Weekly will enable the schedule only on specific days of the week.

Monthly will enable the schedule only on specific months.

Next, click “Add Schedule”.

If you selected one of the custom block or allow list options, you can click the link provided under the “schedule type” column to set the websites or categories that you would like on the list.

And finally, click “Enable Scheduler” if it is not already enabled

That’s it for today. If you’re ready to start blocking websites you can get a free trial of BrowseControl at CurrentWare.com/Download. 

If you have any questions during your evaluation our support team is available to help you over a phone call, live chat, or email.

See you next time!

Agent-based web filters are unaffected by DNS-over-HTTPS. These solutions do not rely on DNS to perform web filtering. Instead, a software agent is installed directly on the endpoint device. This allows web filtering to occur at the browser level before DoH has an opportunity to hide the website being visited by students, patrons, or employees in a professional environment. 

For companies that rely on inspecting DNS web traffic to enforce their acceptable use policies, agent-based internet monitoring software can continue to track employee web activity on browsers that use DoH and other forms of DNS-based encryption.

If you would like to try for yourself, follow these instructions to enable DoH and see if it successfully bypasses your DNS web filter. You can then try our agent-based web filtering and internet monitoring software for free for a live proof-of-concept.  

Configure Your Networks to Disable DNS Over HTTPS

Companies using some sort of filtering via the default DNS resolver need to disable DoH on their network to prevent interference with their web filtering policies. Using canary domains you can signal to web browsers that use DoH that you would like to disable DoH on your network.

Unfortunately according to Firefox’s instructions for disabling DoH, “If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.” For this reason the use of endpoint web filtering software is still preferred.

Sai Kit Chu
Sai Kit Chu
Sai Kit Chu is a Product Manager with CurrentWare. He enjoys helping businesses improve their employee productivity & data loss prevention efforts through the deployment of the CurrentWare solutions.