topic Re: Blocking DNS-over-https in General Topics

Blocking DNS-over-https

ce1028 — Sun, 29 Mar 2020 17:31:12 GMT

Hi,

I plan to create security policy rules to block dns-over-https and dns-over-tls. Is it also recommended to block dnscrypt?

In regards to dns-over-https. If the browser attempts this and fails, does it fallback to using the client's configured dns servers?

Re: Blocking DNS-over-https

reaper — Mon, 30 Mar 2020 06:36:04 GMT

the browser should fall back to regular dns if one of the encrypted versions is unavailable.

why are you blocking these?

Re: Blocking DNS-over-https

ce1028 — Mon, 30 Mar 2020 13:04:29 GMT

@reaper

Reason for blocking is corporate policy is to allow dns requests from internal DNS servers only. Also, they both create security risks that could allow tunneling of malicious traffic and also could potentially bypass your security policies

Palo Alto also recommends blocking.

You don't believe they should be blocked? I'd like to hear your reasons

Re: Blocking DNS-over-https

reaper — Mon, 30 Mar 2020 13:17:27 GMT

@ce1028 i do believe in blocking them, but under the right circumstances 🙂

my first preference is to block all outbound DNS except the outbound connections from my inhouse DNS server for which i would force tls/https as much as possible (for privacy reasons)

in a second scenario, if there is no internal DNS i would encourage dns-over-tls/https as this provides more privacy

from the firewall you can ssl decrypt to still look inside and make sure there are not threats, but an outside listener should not be able to pick up on my dns traffic

Re: Blocking DNS-over-https

ce1028 — Mon, 30 Mar 2020 13:40:07 GMT

@reaper

I agree your assessment. I'm all for encrypted dns, but I want all my dns requests coming from my internal dns servers, as you stated.

However, I thought dns-over-https uses certificate pinning, which would not allow it to be decrypted?

Re: Blocking DNS-over-https

reaper — Mon, 30 Mar 2020 14:11:02 GMT

@ce1028 I thought pinning was by choice

Re: Blocking DNS-over-https

MRamadanAHafiez — Thu, 18 Aug 2022 12:25:49 GMT

Hello,

I have tow cases, one we can decrypt the traffic and this is which is possible to allow secured DNS.

my second case in another network with no decryption applied "network requirements", here should I should I block the DNS_Over_https, and allow only benign DNS traffic to inhouse DNS server?

Notice:

even without decryption rule, how possible to the firewall to read into the ssl traffic and discover the DNS_over_https?

Thank you