- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Blocking DNS-over-https
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-29-2020 10:31 AM
Hi,
I plan to create security policy rules to block dns-over-https and dns-over-tls. Is it also recommended to block dnscrypt?
In regards to dns-over-https. If the browser attempts this and fails, does it fallback to using the client's configured dns servers?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-29-2020 11:36 PM
the browser should fall back to regular dns if one of the encrypted versions is unavailable.
why are you blocking these?
Like my answer? check out my book! https://bit.ly/MasteringPAN
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-29-2020 11:36 PM
the browser should fall back to regular dns if one of the encrypted versions is unavailable.
why are you blocking these?
Like my answer? check out my book! https://bit.ly/MasteringPAN
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-30-2020 06:04 AM
Reason for blocking is corporate policy is to allow dns requests from internal DNS servers only. Also, they both create security risks that could allow tunneling of malicious traffic and also could potentially bypass your security policies
Palo Alto also recommends blocking.
You don't believe they should be blocked? I'd like to hear your reasons
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-30-2020 06:17 AM
@ce1028 i do believe in blocking them, but under the right circumstances
my first preference is to block all outbound DNS except the outbound connections from my inhouse DNS server for which i would force tls/https as much as possible (for privacy reasons)
in a second scenario, if there is no internal DNS i would encourage dns-over-tls/https as this provides more privacy
from the firewall you can ssl decrypt to still look inside and make sure there are not threats, but an outside listener should not be able to pick up on my dns traffic
Like my answer? check out my book! https://bit.ly/MasteringPAN
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-30-2020 06:38 AM - edited 03-30-2020 06:40 AM
I agree your assessment. I'm all for encrypted dns, but I want all my dns requests coming from my internal dns servers, as you stated.
However, I thought dns-over-https uses certificate pinning, which would not allow it to be decrypted?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-30-2020 07:11 AM
@ce1028 I thought pinning was by choice
Like my answer? check out my book! https://bit.ly/MasteringPAN
- unable to block google chrome updates in General Topics
- Traffic with MTU SIZE 1000 is not working in General Topics
- URL Blocking not working in Threat & Vulnerability Discussions
- Instagram allowed in the security policy, but the pictures are not displayed correctly on the website in General Topics
- File Blocking Profile - Can not block file-transfer over "Wechat-file-transfer" Application in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
