This article describes DNS over HTTPS and its impact to Sophos web security products. The following sections are covered:
Applies to the following Sophos products and versions Sophos XG Firewall, Sophos UTM, Sophos Web Appliance, Endpoint Web Control.
DNS over HTTPS (DoH) will have a very limited impact on the protections provided by SG UTM, XG Firewall. We do not expect it to have an impact on Endpoint Web Control or Sophos Web Appliance.
The impacted features on SG UTM and XG Firewall are those that rely on monitoring DNS queries on the network. These features will be blind to DNS lookups over HTTPS:
On enterprise-managed endpoints, you can enforce configuration that prevents users enabling DoH. Firefox will not use DoH by default for enterprise-managed installations.
For unmanaged endpoints, there are ways to prevent use of DoH on your network.
Firefox supports a method that requires you to configure your local DNS infrastructure to respond with NXDOMAIN to queries for the domain use-application-dns.net. This method is currently specific to Firefox.
In the short term, you can block DoH at the firewall or gateway in a number of ways:
Going forward, we are looking into providing more automated ways to handle this in policy.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.