DNS-over-HTTPS

One of our primary focuses at JSCM Group is to stay up-to-date on security trends and changes.  There are often changes that are made that add important layers of protection to a network.  However, we also see just as many trends that, while presenting themselves as improvements, can in actuality cause significant issues.  One of these changes is Mozilla Firefox’s new rollout of DNS-over-HTTPS (DoH).

If you are not already familiar, DoH is a protocol that performs DNS lookups over an HTTPS connection.  DoH was developed as a way to secure DNS searches because these lookups are typically done over an unencrypted, plain text connection.  This could potentially allow others to see what websites you may be visiting, even if the website itself is HTTPS.  As part of a new rollout, Mozilla will automatically be turning on DoH in its Firefox browser.  Mozilla is the first browser to automatically force this, but it is expected that other browsers will soon follow suit.

While DoH is designed to add security to Internet traffic, there are also significant concerns with this feature being automatically implemented.  Its implementation may be beneficial for personal use, but will cause significant issues for organizations and their networks.

With their DoH implementation, Mozilla has chosen to forward all DNS queries to Cloudflare DNS servers.  This means that default DNS settings on your computer, domain or network configuration will not be used.  For example, even if your user’s computer is configured to point to your Domain Controller for DNS, this setting will override that.  This change will prevent you from being able to monitor your user’s web traffic to any useful extent.  This will also negate the use of DNS services such as WatchGuard’s DNSWatch or Cisco’s DNS Umbrella.

There are a few steps that can be taken to prevent this from happening.  If you are using Mozilla Firefox, you can disable DoH by going to Options > General > Network Settings.  You can also prevent DoH through application blocking on your firewall.  If you choose to go this route, you will need to ensure that you are performing Deep Packet Inspection, otherwise HTTPS traffic cannot be fully reviewed.

JSCM Group strongly supports the implementation of more strict control over DNS.  However, with the implementation of DoH in this capacity, the loss of insight and control over your traffic is severe.  Utilizing this function on a personal level may be beneficial, but is not recommended for business use.  Please contact us so that we can discuss successful ways to protect DNS that don’t leave you blind to your user’s activity.