Does the DNS Protection support DNS over TLS and DNS over HTTPS?

Does (or will) DNS Protection support DNS over TLS and DNS over HTTPS?

Currently, I'm blocking both to try to force fallback to regular DNS. But I've considered using NAT to force each type of DNS to go to Sophos. (Not sure that SFOS supports encrypted DNS, otherwise I guess we could map all DNS to the firewall itself.

Any thoughts or suggestions?

Parents
  • At the moment, DNS over TLS and DNS over HTTPS are not supported, although it is high up on our to-do list after the GA release.

    Using NAT works OK as a way to capture 'classic' DNS traffic, as you can set up a rule that applies to all port 53 traffic. It may also work for DNS over TLS, as that protocol uses a dedicated port, but will not be great for DNS over HTTPS as it shares a port with regular DNS traffic. Keeping tabs on all potential destination IP addresses is more of a challenge.

Reply
  • At the moment, DNS over TLS and DNS over HTTPS are not supported, although it is high up on our to-do list after the GA release.

    Using NAT works OK as a way to capture 'classic' DNS traffic, as you can set up a rule that applies to all port 53 traffic. It may also work for DNS over TLS, as that protocol uses a dedicated port, but will not be great for DNS over HTTPS as it shares a port with regular DNS traffic. Keeping tabs on all potential destination IP addresses is more of a challenge.

Children