Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why is DNS over HTTPS classified as High Risk?

In Application usage report, DNS over HTTPS is classified as High Risk. Why? I would think HTTPS is always preferable. Is it because it imposes limitations on what the firewall can see and control?



This thread was automatically locked due to age.
Parents Reply
  • I have blocked DNS over TLS which most of the Apple devices now use after the update 13.3 and it equivalent ipdados, iphoneos and appletvOS. They all seem to fall back to standard DNS without any apparent issues. My  MBP uses firefox for this site and safari for al other access. Daily reports are not showing any blocked traffic thopugh, but logviewer does.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Thanks - it at least confirms what I am seeing is not unique. And most of mine that are doing a lot of DNS over HTTPS (TLS) are Apple products (MacBooks, iPhones and iPads) and are still falling back because sites are working. I am getting a lot of log entries. However, I have a couple of websites that are not working and I was troubleshooting one in particular and it would not fall back.

  • After finding two more sites that in Safari I get: Safari can't open the page <url> because Safari can't establish a secure connection to the server <url>. 
    In Chrome it gives: This site can't be reached. <url> unexpectedly closed the connection. ERR_CONNECTION_CLOSED


    I then dug a little deeper.


    I had added Google DNS as a 3rd level DNS as backup to my primary (Windows Server local) and secondary (ISP) DNS servers.
    After removing Google as the 3rd option, I am no longer getting the errors and my sites are back to working. I guess the answer for me was to remove the 8.8.8.8 from the list of DNS to eliminate the DOH.

  • I removed the Google and cloudflare IP4 and IPv6 DNS servers from the XG and the DNS over TLS stopped.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.