Blocking DoH (DNS over HTTPs) & DoT (DNS over TLS)?

**chmcwill** · 08-26-2020, 07:32 PM

Maybe I'll get some flack for this but the whole point of using Untangle is to manage internet connectivity which includes managing what is accessed over the company internet using company equipment. So with the introduction of DoH and DoT coming rapidly with us already starting to see a lot of traffic to chrome.cloduflare-dns.com, etc. we are now needing to block this traffic so all DNS goes through Untangle and not bypassing Untangle. I know that DoT should be easy with simply blocking Port 853 but anyone got some good ideas or references on doing something similar with DoH?

**Jim.Alles** · 08-26-2020, 07:54 PM

flack?

I have been doing some hand-wringing for a while around here.
https://forums.untangle.com/off-topic/43131-dns-hijacking.html

Things have seemed to go more sanely than I expected since last fall. I want to continue the discussion, but not tonight.

I can tell you for a quick fix, that the Web Filter App. categorizes doh.opendns.com as "Proxy Avoidance and Anonymizers".
You might need to do some more research.

Another tip is that there will always be a FQDN associated with any DoH service (due to the HTTPS part).
There is a list of those somewhere on the Interwebs.
(It is also ironic that you need normal plain-vanilla DNS to resolve that).

**sky-knight** · 08-26-2020, 11:17 PM

I've found Threat Prevention has done a decent job of catching DoH. I haven't mucked with DoT much yet.

**chmcwill** · 08-26-2020, 11:49 PM

Haven't looked at that yet, I see it's not a Free app but I don't see it listed under the Individual Apps to purchase - is it only included with the Complete Package?

**sky-knight** · 08-26-2020, 11:58 PM

Yes, for now... and I'm not entirely sure why.

**delonm** · 08-27-2020, 11:26 AM

Originally Posted by sky-knight

I've found Threat Prevention has done a decent job of catching DoH. I haven't mucked with DoT much yet.

I can confirm that it definitely catches Google DoH. I only recently installed Untangle so I am watching my reporting with more diligence than I likely will be doing in another month. I was shocked to see over 400 blocked events in the Threat Prevent report. Upon investigation, it turned out to be the Chrome browser on my desktop reaching out to dns.google.com via HTTPS. I had no idea how that even got enabled on my browser as I was under the impression it was "opt-in" on Chrome.

I was impressed that the default install of Threat Prevention caught that. I immediately went to the Untangle store to license the feature (I am still in the eval license period) and was disappointed to see it only comes bundled with the Complete version. No standalone license available.

Fun stuff.

David

**sky-knight** · 08-27-2020, 11:51 AM

It's containing my Firefox's insistence of using Cloudflare as well. Both browsers use DoH by default now.

**JasonJoel** · 08-27-2020, 12:39 PM

Didn't know it would do that. Neat.

But alas I'm just a Luddite home user and can't have Threat Prevention.

Thread: Blocking DoH (DNS over HTTPs) & DoT (DNS over TLS)?

LinkBack

Thread Tools

Blocking DoH (DNS over HTTPs) & DoT (DNS over TLS)?

Posting Permissions