- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Palo Alto Networks is releasing a new category called “Encrypted-DNS” under Advanced URL Filtering.
ACTION: By default, the “Encrypted-DNS category” action is set to "Allow". Palo Alto Networks recommends configuring your URL Filtering security profile(s) to "Block" DNS over HTTPS (DoH) requests if it is not permitted (unsanctioned) within your network. If DoH is already blocked as part of your Decryption and App-ID configuration and no additional action is required (as outlined here: Protecting Organizations in a World of DoH and DoT).
Unlike traditional DNS, protocols like DNS over HTTPS encrypt DNS requests and responses to ensure privacy and security for end users. Support for DoH is available and is enabled by default on all popular browsers such as Google Chrome and Mozilla Firefox, as well as leading software vendors like Apple and Microsoft. Encrypted-DNS is a new category added in the Advanced URL Filtering subscription to handle DoH traffic.
Yes. It is however only supported on PAN-OS 9.1 and above. For PAN-OS version 9.0 and below, Encrypted-DNS detections will be covered under the category “Computer-and-internet-info".
The “Encrypted-DNS” category will be visible on the administrator management console beginning October 6th, 2022, although we will not use the category to classify web pages until December 8th, 2022.
Starting December 8th, 2022, Palo Alto Networks will start publishing URLs that resolve DoH queries (DoH resolvers). Please ensure that your security policy rules are configured properly for this new category.
Note: The Encrypted-DNS category functionality will only be supported on PAN-OS versions 9.1 onwards. For PAN-OS version 9.0 and below, Encrypted-DNS detections will be covered under the “Computer-and-internet-info" category.
Protocols like DoH encrypt DNS queries and hide the domains requested by a user. By blocking DoH traffic, applications using DoH fall back to regular DNS, allowing organizations to gain visibility and control of their internet traffic.
ACTION: Our recommendation is to "Block" Encrypted-DNS traffic in your URL filtering security profiles.
Note: In an upcoming PAN-OS release, the DNS Security subscription will support inspection of DNS over HTTPS traffic. With this support, this new category can be used to enforce decryption of DoH traffic and apply DNS Security inspection. Please stay tuned for further information.
Additional Information:
For more information on best practices when managing URL Filtering categories, refer to these resources:
URL Filtering Category Recommendations
Complete List of Advanced URL Filtering Categories
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |