Blocking DNS-over-https

Reply
Highlighted
L3 Networker

Blocking DNS-over-https

Hi,

 

I plan to create security policy rules to block dns-over-https and dns-over-tls.   Is it also recommended to block dnscrypt?  

 

In regards to dns-over-https.  If the browser attempts this and fails, does it fallback to using the client's configured dns servers?


Accepted Solutions
Highlighted
L7 Applicator

Re: Blocking DNS-over-https

the browser should fall back to regular dns if one of the encrypted versions is unavailable.

 

why are you blocking these?

reaper - PANgurus.com
I drink and I know things

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Blocking DNS-over-https

the browser should fall back to regular dns if one of the encrypted versions is unavailable.

 

why are you blocking these?

reaper - PANgurus.com
I drink and I know things

View solution in original post

Highlighted
L3 Networker

Re: Blocking DNS-over-https

@reaper 

 

Reason for blocking is corporate policy is to allow dns requests from internal DNS servers only.  Also, they both create security risks that could allow tunneling of malicious traffic and also could potentially bypass your security policies

 

Palo Alto also recommends blocking.  

 

You don't believe they should be blocked?  I'd like to hear your reasons

Highlighted
L7 Applicator

Re: Blocking DNS-over-https

@ce1028  i do believe in blocking them, but under the right circumstances

 

my first preference is to block all outbound DNS except the outbound connections from my inhouse DNS server for which i would force tls/https as much as possible (for privacy reasons)

 

in a second scenario, if there is no internal DNS i would encourage dns-over-tls/https as this provides more privacy

 

from the firewall you can ssl decrypt to still look inside and make sure there are not threats, but an outside listener should not be able to pick up on my dns traffic

reaper - PANgurus.com
I drink and I know things
Highlighted
L3 Networker

Re: Blocking DNS-over-https

@reaper 

 

I agree your assessment. I'm all for encrypted dns, but I want all my dns requests coming from my internal dns servers, as you stated.

 

However, I thought dns-over-https uses certificate pinning, which would not allow it to be decrypted?

 

 

 

Highlighted
L7 Applicator

Re: Blocking DNS-over-https

@ce1028  I thought pinning was by choice

reaper - PANgurus.com
I drink and I know things
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!