In Application usage report, DNS over HTTPS is classified as High Risk. Why? I would think HTTPS is always preferable. Is it because it imposes limitations on what the firewall can see and control?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
In Application usage report, DNS over HTTPS is classified as High Risk. Why? I would think HTTPS is always preferable. Is it because it imposes limitations on what the firewall can see and control?
Hello tscott_16 ,
Thank you for reaching out to the community, because In DNS over HTTPS, the encrypted DNS traffic is not completely invisible to the network admins, which could be an issue. Whereas, in DNS over TLS, the network administrators cannot even see the encrypted DNS traffic.
Learn its impact on Sophos web security products. - https://support.sophos.com/support/s/article/KB-000039056?language=en_US
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Hello tscott_16 ,
Thank you for reaching out to the community, because In DNS over HTTPS, the encrypted DNS traffic is not completely invisible to the network admins, which could be an issue. Whereas, in DNS over TLS, the network administrators cannot even see the encrypted DNS traffic.
Learn its impact on Sophos web security products. - https://support.sophos.com/support/s/article/KB-000039056?language=en_US
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
After the last round of browser updates for Chrome, Safari and Firefox, it seems they no longer fall back to regular DNS as stated in the article "Blocking DoH will generally cause browsers to fall back to use the regular system DNS". I have sites now that just fail with this policy turned on.
Regards,
Gary
I'm pretty sure it's working for me -- what OS is this on? Also, have the browsers (and perhaps even the deivce) been rebooted since you threw the switch? I had something similar happen with QUIC -- which is also supposed to fallback, but on some devices did not until I rebooted them. As if they made the decision on startup and not on a moment-by-moment basis, which makes sense I guess.
(I say "pretty sure it's working for me" in the sense that I'm not sure right now if I'm thinking of QUIC or not, rather than DoH.
I have blocked DNS over TLS which most of the Apple devices now use after the update 13.3 and it equivalent ipdados, iphoneos and appletvOS. They all seem to fall back to standard DNS without any apparent issues. My MBP uses firefox for this site and safari for al other access. Daily reports are not showing any blocked traffic thopugh, but logviewer does.
Ian
XG115W - v20.0.3 MR-3 - Home
XG on VM 8 - v21 GA
If a post solves your question please use the 'Verify Answer' button.
Thanks - it at least confirms what I am seeing is not unique. And most of mine that are doing a lot of DNS over HTTPS (TLS) are Apple products (MacBooks, iPhones and iPads) and are still falling back because sites are working. I am getting a lot of log entries. However, I have a couple of websites that are not working and I was troubleshooting one in particular and it would not fall back.
After finding two more sites that in Safari I get: Safari can't open the page <url> because Safari can't establish a secure connection to the server <url>.
In Chrome it gives: This site can't be reached. <url> unexpectedly closed the connection. ERR_CONNECTION_CLOSED
I then dug a little deeper.
I had added Google DNS as a 3rd level DNS as backup to my primary (Windows Server local) and secondary (ISP) DNS servers.
After removing Google as the 3rd option, I am no longer getting the errors and my sites are back to working. I guess the answer for me was to remove the 8.8.8.8 from the list of DNS to eliminate the DOH.