Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 43 subscribers
  • Views 5553 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why is DNS over HTTPS classified as High Risk?

tscott_16

In Application usage report, DNS over HTTPS is classified as High Risk. Why? I would think HTTPS is always preferable. Is it because it imposes limitations on what the firewall can see and control?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Vivek Jagad

    After the last round of browser updates for Chrome, Safari and Firefox, it seems they no longer fall back to regular DNS as stated in the article "Blocking DoH will generally cause browsers to fall back to use the regular system DNS". I have sites now that just fail with this policy turned on.

    Regards,

    Gary

Children
  • 0 in reply to GaryChancellor

    I'm pretty sure it's working for me -- what OS is this on? Also, have the browsers (and perhaps even the deivce) been rebooted since you threw the switch? I had something similar happen with QUIC -- which is also supposed to fallback, but on some devices did not until I rebooted them. As if they made the decision on startup and not on a moment-by-moment basis, which makes sense I guess.

    (I say "pretty sure it's working for me" in the sense that I'm not sure right now if I'm thinking of QUIC or not, rather than DoH.

  • 0 in reply to Wayne Folta

    I have blocked DNS over TLS which most of the Apple devices now use after the update 13.3 and it equivalent ipdados, iphoneos and appletvOS. They all seem to fall back to standard DNS without any apparent issues. My  MBP uses firefox for this site and safari for al other access. Daily reports are not showing any blocked traffic thopugh, but logviewer does.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks - it at least confirms what I am seeing is not unique. And most of mine that are doing a lot of DNS over HTTPS (TLS) are Apple products (MacBooks, iPhones and iPads) and are still falling back because sites are working. I am getting a lot of log entries. However, I have a couple of websites that are not working and I was troubleshooting one in particular and it would not fall back.

  • 0 in reply to rfcat_vk

    After finding two more sites that in Safari I get: Safari can't open the page <url> because Safari can't establish a secure connection to the server <url>. 
    In Chrome it gives: This site can't be reached. <url> unexpectedly closed the connection. ERR_CONNECTION_CLOSED


    I then dug a little deeper.


    I had added Google DNS as a 3rd level DNS as backup to my primary (Windows Server local) and secondary (ISP) DNS servers.
    After removing Google as the 3rd option, I am no longer getting the errors and my sites are back to working. I guess the answer for me was to remove the 8.8.8.8 from the list of DNS to eliminate the DOH.

  • 0 in reply to GaryChancellor

    I removed the Google and cloudflare IP4 and IPv6 DNS servers from the XG and the DNS over TLS stopped.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML