Block DNS over HTTPS for a Safer Internet

Author

Reads 458

Close-up of a hand adjusting network equipment in a data center.
Credit: pexels.com, Close-up of a hand adjusting network equipment in a data center.

Blocking DNS over HTTPS is a straightforward process that can be done on most devices.

To start, you'll need to know that DNS over HTTPS is a protocol that encrypts DNS traffic, making it harder for hackers to intercept and steal your data.

However, this encryption also means that your internet service provider (ISP) can't see the websites you're visiting, which is a problem for those who rely on their ISP to block access to certain sites.

In the US, for example, some ISPs have been known to throttle or block access to certain websites, and blocking DNS over HTTPS can help prevent this.

On a similar theme: Looker Studio Access Control

What is DoH and DoT

DoH and DoT are protocols designed to increase user privacy and security by encrypting DNS queries. This means your internet service provider (ISP) can't see what websites you're visiting.

DoH encrypts DNS queries by sending them over the HTTPS port (443), making it difficult to identify and block using traditional methods. This can be a problem if you're trying to block DoH.

DoT uses port 853 for its encrypted DNS queries, allowing easier identification and blocking via firewall settings. This makes it a more manageable option for those who want to block DNS over HTTPS.

Why Block DoH and DoT

Credit: youtube.com, How ISPs Still Block You Even With DNS Over HTTPS?! (And How To Outsmart Them!)

Blocking DoH and DoT is crucial for maintaining network visibility. It allows administrators to see what's happening on their network.

Nearly 90% of pages loaded in Google Chrome are encrypted, and 98% of port 443 and 80 are exposed to the internet. This makes it difficult to monitor and control DNS queries.

By blocking DoH and DoT, you can prevent users from bypassing DNS-based blocking filters, reducing network administrators' visibility into the traffic. This is because encrypted DNS traffic can obscure signals used by security tools to identify suspicious activity.

Here are the reasons why blocking DoH and DoT is important:

Importance of Blocking DoT

Blocking DoT is crucial because it can obscure signals that many security tools rely on to identify suspicious activity. This can hinder threat detection and make it harder for network administrators to stay on top of potential security issues.

By allowing encrypted DNS traffic, users can bypass organizational policies, potentially leading to security and compliance issues. This can be a major problem for companies that rely on strict policies to keep their networks secure.

Here are the key reasons why blocking DoT is important:

Stopping DOH Abuse

Credit: youtube.com, DoH! DNS over HTTPS: for Attackers and Defenders - Marcus W Tonsmann

DOH is a protocol that encrypts DNS queries, but it has a major flaw - it makes it difficult for security tools to detect threats. Nearly 90% of pages loaded in Google Chrome are encrypted, and a staggering 98% of port 443 (and port 80) are exposed to the internet.

The problem with DOH is that it allows threat actors to hide malicious payloads in encrypted traffic. This is because security tools can't inspect all SSL/TLS traffic, making it easy for attackers to take advantage of the implicit trust.

DOH is designed to increase privacy and prevent ISPs from tracking activities, but it has actually weakened security measures. By performing DNS resolution using HTTPS protocol, DOH allows users or browsers to choose which DNS server to send their encrypted requests to, making it difficult for administrators to block or redirect malicious requests.

Here's a breakdown of the reasons why DOH is abused by adversaries:

DOH is a ticking time bomb for security, and it's essential to take back control by ensuring all DNS requests and responses are secure. Zscaler Firewall can help prevent threats over DoH and stop C2 communication, while also boosting performance with geo-delivered DNS resolution.

Blocking Methods

Credit: youtube.com, Can DNS Over HTTPS (DoH) Be Blocked? - SecurityFirstCorp.com

Blocking DNS over HTTPS (DoH) requires some extra steps, but don't worry, it's not rocket science. Exium's approach to blocking DoH is quite clever.

Exium is developing a list of known DoH providers, which MSPs can block through a one-click policy configuration. This allows blocking DoH traffic without affecting regular HTTPS usage.

You can block DoH by configuring a list of known DoH providers, which is a more straightforward approach. Exium's SASE platform makes this process user-friendly.

To block DoT, you'll need to create a new rule in your firewall configuration. Select "Rules" from the left menu-bar and click on “Add Rule” to initiate the process.

Here's a step-by-step guide to blocking DoT:

  1. Activate “Tunnel All Traffic” to ensure all traffic is tunneled through the network.
  2. Create a new rule with the necessary information to set up the rule for blocking DoT.
  3. Save the rule to establish the new policy.
  4. Configure local firewall rules at sites with Cyber Gateways to block DNS over TLS (DoT) effectively.

How it Works

DoH works just like DNS, except it uses Transmission Control Protocol (TCP) to transmit and receive queries.

A DNS query is sent to a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53.

Credit: youtube.com, DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)

This encrypted connection prevents third-party observers from sniffing traffic and understanding what DNS queries users have run, or what websites users are intending to access.

The DoH (DNS) request is even invisible to cyber-security software that relies on passive DNS monitoring to block requests to known malicious domains.

DoH isn't enabled by default for everyone, and you don't have to use it if you don't want to.

Decision Time

DoH can bypass the protection provided by Cisco Umbrella.

To improve coverage, customers should block known DoH servers, which are included in the “Proxy / Anonymizer” content category.

Blocking Newly Seen Domains can also enhance coverage.

Cisco Umbrella supports the “use-application-dns.net” domain to prevent Firefox from enabling DoH by default.

However, users can still enable DoH manually by configuring a DoH server.

Frequently Asked Questions

Does 1.1.1.1 use DNS over HTTPS?

Yes, 1.1.1.1 supports DNS over HTTPS (DoH) to encrypt DNS queries and protect user privacy. This protocol is enabled by default in several browsers that support 1.1.1.1.

Melba Kovacek

Writer

Melba Kovacek is a seasoned writer with a passion for shedding light on the complexities of modern technology. Her writing career spans a diverse range of topics, with a focus on exploring the intricacies of cloud services and their impact on users. With a keen eye for detail and a knack for simplifying complex concepts, Melba has established herself as a trusted voice in the tech journalism community.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.