Why is DNS over HTTPS classified as High Risk?

Hello tscott_16 ,

Thank you for reaching out to the community, because In DNS over HTTPS, the encrypted DNS traffic is not completely invisible to the network admins, which could be an issue. Whereas, in DNS over TLS, the network administrators cannot even see the encrypted DNS traffic.

Learn  its impact on Sophos web security products. - https://support.sophos.com/support/s/article/KB-000039056?language=en_US

After the last round of browser updates for Chrome, Safari and Firefox, it seems they no longer fall back to regular DNS as stated in the article "Blocking DoH will generally cause browsers to fall back to use the regular system DNS". I have sites now that just fail with this policy turned on.

Regards,

Gary

I'm pretty sure it's working for me -- what OS is this on? Also, have the browsers (and perhaps even the deivce) been rebooted since you threw the switch? I had something similar happen with QUIC -- which is also supposed to fallback, but on some devices did not until I rebooted them. As if they made the decision on startup and not on a moment-by-moment basis, which makes sense I guess.

(I say "pretty sure it's working for me" in the sense that I'm not sure right now if I'm thinking of QUIC or not, rather than DoH.

I have blocked DNS over TLS which most of the Apple devices now use after the update 13.3 and it equivalent ipdados, iphoneos and appletvOS. They all seem to fall back to standard DNS without any apparent issues. My  MBP uses firefox for this site and safari for al other access. Daily reports are not showing any blocked traffic thopugh, but logviewer does.

Ian

Thanks - it at least confirms what I am seeing is not unique. And most of mine that are doing a lot of DNS over HTTPS (TLS) are Apple products (MacBooks, iPhones and iPads) and are still falling back because sites are working. I am getting a lot of log entries. However, I have a couple of websites that are not working and I was troubleshooting one in particular and it would not fall back.

Thanks - it at least confirms what I am seeing is not unique. And most of mine that are doing a lot of DNS over HTTPS (TLS) are Apple products (MacBooks, iPhones and iPads) and are still falling back because sites are working. I am getting a lot of log entries. However, I have a couple of websites that are not working and I was troubleshooting one in particular and it would not fall back.