Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS over TLS / HTTPS with TLS Inspection

Hello everyone,

today the first occurences of DNS over TLS showed up in one of our customers logs. We have TLS Inspection rolled out at the company and are asking ourselves if the TLS Inspection also inspects DNS over TLS traffic and DNS over HTTPS traffic (if it's not blocked by the application filter anyway) or if we should just outright block the traffic.

For clarification: Normally we like the clients to first ask any local DNS servers, and if they are not available, we reroute DNS traffic to trusted servers with the help of the firewall, but as of now doing the same to DNS over TLS did not occur to us.

I'm interested in your experiences how you handle DoT / DoH at your company and am looking forward for your answers.

Kind regards,

Markus



This thread was automatically locked due to age.
Parents
  • It highly depends on the implemention of DNS on those devices. Often times, they are using certificates as well and check if somebody reroutes something - Meaning, if you do something with this traffic, they will stop interacting with the traffic. 

    Blocking it, like doing on QUIC, helps to get DNS plain running but throws often times errors. 

    DNS over TLS is a privacy feature for IOT devices or browsers - So you need to think about the use cases. Sometimes you need to simply allow it and check the devices (Endpoints etc.) or in terms of IOT isolate those devices. 

    __________________________________________________________________________________________________________________

Reply
  • It highly depends on the implemention of DNS on those devices. Often times, they are using certificates as well and check if somebody reroutes something - Meaning, if you do something with this traffic, they will stop interacting with the traffic. 

    Blocking it, like doing on QUIC, helps to get DNS plain running but throws often times errors. 

    DNS over TLS is a privacy feature for IOT devices or browsers - So you need to think about the use cases. Sometimes you need to simply allow it and check the devices (Endpoints etc.) or in terms of IOT isolate those devices. 

    __________________________________________________________________________________________________________________

Children
  • It is now used by most Apple devices unless you block it at the firewall. 

    Also you cannot apply policies eg block ads while usingSSL/TLS inspection.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.