Palo Alto Networks is releasing a new category called “Encrypted-DNS” under Advanced URL Filtering.
ACTION:By default, the “Encrypted-DNS category” action is set to "Allow". Palo Alto Networks recommends configuring your URL Filtering security profile(s) to "Block" DNS over HTTPS (DoH) requests if it is not permitted (unsanctioned) within your network. If DoH is already blocked as part of your Decryption and App-ID configuration and no additional action is required (as outlined here: Protecting Organizations in a World of DoH and DoT).
What is the “Encrypted-DNS” category?
Unlike traditional DNS, protocols like DNS over HTTPS encrypt DNS requests and responses to ensure privacy and security for end users. Support for DoH is available and is enabled by default on all popular browsers such as Google Chrome and Mozilla Firefox, as well as leading software vendors like Apple and Microsoft. Encrypted-DNS is a new category added in the Advanced URL Filtering subscription to handle DoH traffic.
Will the “Encrypted-DNS” category be visible across all PAN-OS versions?
Yes. It is however only supported on PAN-OS 9.1 and above. For PAN-OS version 9.0 and below, Encrypted-DNS detections will be covered under the category “Computer-and-internet-info".
When will the “Encrypted-DNS” category be available?
The “Encrypted-DNS” category will be visible on the administrator management console beginning October 6th, 2022, although we will not use the category to classify web pages until December 8th, 2022.
When will the “Encrypted-DNS” category be functional?
Starting December 8th, 2022, Palo Alto Networks will start publishing URLs that resolve DoH queries (DoH resolvers). Please ensure that your security policy rules are configured properly for this new category.
Note: The Encrypted-DNS category functionality will only be supported on PAN-OS versions 9.1 onwards. For PAN-OS version 9.0 and below, Encrypted-DNS detections will be covered under the “Computer-and-internet-info" category.
What is the recommended action for the “Encrypted-DNS” category?
Protocols like DoH encrypt DNS queries and hide the domains requested by a user. By blocking DoH traffic, applications using DoH fall back to regular DNS, allowing organizations to gain visibility and control of their internet traffic.
ACTION: Our recommendation is to "Block" Encrypted-DNS traffic in your URL filtering security profiles.
Note: In an upcoming PAN-OS release, the DNS Security subscription will support inspection of DNS over HTTPS traffic. With this support, this new category can be used to enforce decryption of DoH traffic and apply DNS Security inspection. Please stay tuned for further information.
For more information on best practices when managing URL Filtering categories, refer to these resources: