What is DNS over HTTPS?
DNS over HTTPS (DoH) is a new approach to DNS that is being explored by the Firefox and Chrome development teams. The new approach makes DNS requests over HTTPS instead of the traditional UDP based DNS protocol. DoH is claimed to be a more secure DNS infrastructure that protects some users from local monitoring on some shared networks.
What is the current status of DNS over HTTPS implementation by Firefox and Chrome?
Currently, this technology is in the testing phase and must be manually enabled in the Firefox browser settings or Chrome command line in order to activate.
Note: Both browsers have officially committed to the long term support of DNS based filtering systems used by enterprise and educational markets.
To continue to be compatible with these solutions, Firefox will include a mechanism (DNS Canary) to check if the network they are communicating on supports DoH. If not, the browser would fall back on the current practice of using the DNS. Furthermore, Firefox also plans to check for existing parental controls or web-filters first to ensure DoH will not override measures in place to keep the user safe online.
On Chrome’s part, it will only upgrade a DNS provider to DoH if that same DNS provider is on its official list of providers that specifically support DoH. In other words, Chrome will not allow a user to switch from the system specified DNS setting to a different DoH provider altogether - a behavior even more restrictive than Firefox. Chrome will provide an enterprise group policy so that enterprises can disable the DoH option if required on managed devices.
How does it impact Securly filtering?
Securly’s filtering ability for both schools or parents is not impacted by DoH. Due to intense international pressure, modern browsers are committed to being compliant with web-filtering and parental-control companies that rely on DNS. The Securly SmartPAC and Chrome Extension are also fully forward-compatible with the new approach.
Users will not experience any changes or interruptions.
How is Securly preparing for the DNS over HTTPS change?
While no actual impact is expected given the above official guidance from modern browser vendors, we are implementing additional layers of defense in line with best practices from other DNS based filtering vendors and service providers.
First, Securly DNS will block the Canary DNS domain names that let browsers know if the network supports DoH. This will prevent browsers from using DoH on devices that are using the Securly DNS service. Securly is adding these known DoH servers to its list of Proxy/Anonymizers category to ensure schools can effectively block these canaries just like we block proxying and anonymizer sites already.
Second, Securly will also keep this KB article updated with best practices for keeping your network safe from DoH - including device management and firewall management guidance.
How can schools help?
Schools should ensure that the IT admin and not students have complete control over the OS and browser settings on students’ devices. It’s also recommended to block traffic to certain DoH IPs at the school firewall level.
There are many bypass methodologies in the wild for browsers ranging from proxy servers to onion routing. The OS and browser settings must be locked down on desktops for the browsers to be secure. Check out this KB for details about how to lock Firefox preferences with Group Policy.
It is good policy to block traffic to the DoH IP's at the school firewall level. This will prevent users from accessing these servers by IP if they discover a way to make unauthorized changes to the OS or browser configuration.
The two known DoH providers are:
DNS over HTTPS is a tectonic change for networking and would take a significant amount of time to be implemented and become widespread. You can rest assured that the industry’s proposed DoH shift is committed to being compatible with parental controls and web-filtering vendors.