How to handle DNS over HTTPS
About this Document
In this document, we explain how DNS over HTTPS is handled by the AXS Guard appliance.
DNS over TLS (DoT) is frequently mentioned together with DNS over HTTPS (DoH). Although their goals are the same, i.e. the encryption of DNS requests, their methods differ. As specified in RFC 7858, DNS over TLS uses a dedicated port (TCP / UDP 853). Simply block this port in the AXS Guard firewall if you wish to block DoT traffic.
About DNS over HTTPS
When you type a web address or domain name into your address bar, e.g.
www.mozilla.org, your browser sends a request over the Internet to
look up the IP address for that website, a.k.a. DNS resolution.
Traditionally, this request is sent to servers over an unencrypted, plaintext connection, which means that third parties, such as system administrators can see which websites are being accessed.
DNS over HTTPS (DoH) works differently. It uses an encrypted connection to resolve the web address, which prevents third parties, such as system administrators, from seeing which websites are being accessed.
Issues with DNS over HTTPS
DNS over HTTPS is problematic for the analysis and monitoring of DNS traffic for cyber security purposes. DoH can be used to bypass company content-control software and DNS policies, as it uses encryption.
Some users and organizations heavily rely on DNS to block malware, enable parental controls or to control access to certain websites.
When enabled, DoH will bypass the local DNS resolver of the client and users will be able to access potentially forbidden and harmful content.
Handling various Client Implementations on AXS Guard
When DNS over HTTPS is enabled in Firefox, the browser overwrites all local DNS settings and will always use DNS over HTTPS.
Firefox implemented a mechanism to automatically disable or enable DNS over HTTPS based on a canary domain.
The canary domain is used by the heuristics check in Firefox, which is only executed whenever the browser is started and when the user has not already explicitly enabled or disabled DNS over HTTPS.
Note that both conditions must be fulfilled.
The Firefox internal heuristics check will attempt to resolve the canary
use-application-dns.net. If the DNS query returns a
without A or AAAA records, a
message, it means that DNS over HTTPS has been successfully disabled.
The canary domain is enabled by default in the internal DNS repository of the AXS Guard appliance.
This mechanism will only work for users who didn’t already explicitly enable or disable the DoH option in their browser.
In the latter case, there is a way to reset the default browser behavior by changing some Firefox configuration options.
about:configin the browser’s address bar, press enter and accept the warning.
Set the following options to
Close and restart Firefox.
When DNS over HTTPS is enabled in Google Chrome, it will still use the configured DNS server. However, Chrome will default to DNS over HTTPS if the configured DNS server supports it.
This implementation prevents Google Chrome from hijacking the operating system’s DNS settings, which is a more sensible approach for enterprise environments.
Currently, Chrome’s DNS over HTTPS implementation works as follows:
A user types in a website into the browser’s address bar.
Chrome looks at the operating system’s DNS server.
Chrome checks if this DNS server appears on a whitelist of approved DNS-over-HTTPS-capable DNS servers.
If yes, Chrome sends a DoH (encrypted DNS query) to the DNS server.
If not, Chrome will send a regular DNS query to the same server.
Chrome currently supports the following DoH providers:
No configuration changes are needed on AXS Guard to disable DNS over HTTPS when Google Chrome browsers are used.
Microsoft’s implementation is the same as Google Chrome. No configuration changes are needed on AXS Guard.
DNS over HTTPS is disabled by default in Opera; no configuration changes are required on AXS Guard.
When enabled, Opera will default to DNS over HTTPS and use the Cloudflare DNS resolvers (126.96.36.199).
The Windows 10 implementation is identical to the Edge Browser implementation. DoH will only be used if Windows is already configured for it.
There are currently several public DNS servers that support DoH and if a Windows user or device administrator configures one of them today, Windows will only use unencrypted DNS towards that server.
However, as these servers and their DoH configurations are well-known, Windows may automatically upgrade to DoH in the future.
Currently, Windows will not be making any automated changes to existing DNS server configurations. Users and administrators decide which DNS servers to use by picking the network they join or specifying the server directly.
Many organizations use DNS content filtering to block offensive or malicious websites. Silently changing the DNS server configuration on clients could inadvertently bypass these controls and frustrate users and administrators, which is why Microsoft did not yet automate the DoH configuration process.