[fChk]

What is DoH?
DNS over HTTPS (DoH) is a new RFC (rfc8484) from the IETF, published in October 2018, that "gives web applications access to DNS information via existing browser APIs." And, by doing that, they are short-circuiting the Operating system hegemony/control over DNS functionality, thus creating another headache to the corporate security folks in their efforts to enforce the corporation's policy in the work-place (I've read somewhere on the Web, someone calling Firefox a 'rogue application' for daring to implement DoH :-) .)

It's interesting to read a blog post from infoblox.com, a cybersecurity website, entitled: DoT, DoH and the DNS “Last Mile” Security Problem, where they question the suitability of DoH on enterprise networks.

We don’t question the motives of the developers of DoH: One of their goals was to help safeguard web browsing on parts of the Internet where snooping on DNS traffic and manipulating DNS responses is routine. But we question its suitability for use on enterprise networks.

Infoblox Implementation Recommendations for DoT and DoH
Infoblox’s recommendation is that companies block direct DNS traffic—including DoT and DoH—between internal IP addresses and DNS servers on the Internet, including Cloudflare’s. This approach should force users to employ their company’s internal DNS infrastructure, allowing their IT organization to apply DNS resolution policy and troubleshoot problems.

DoT, as we already said in the previous post is easy to block by shutting down port 853, but DoH is a bit trickier (as we already said too.) And here is their solution:

Code: (Select All)

# Block DoH to Cloudflare

deny tcp/udp in/out to 104.16.111.25 on port 443

deny tcp/udp in/out to 104.16.112.25 on port 443

deny tcp/udp in/out to 2606:4700::6810:7019 on port 443

deny tcp/udp in/out to 2606:4700::6810:6f19 on port 443

# Block DoH to Google Public DNS

deny tcp/udp in/out to 8.8.8.8 on port 443

deny tcp/udp in/out to 8.8.4.4 on port 443

deny tcp/udp in/out to 2001:4860:4860::8888 on port 443

deny tcp/udp in/out to 2001:4860:4860::8844 on port 443

Barring access to Cloudflare and Google public DNS resolvers on TCP/443 and UDP/443 is the plan they came up with. Brilliant!.. But wait!.. What about all the other freely available DoH services?.. Ok!.. They will also add them to the list one by one later on. Sounds like a done deal, right?..

It would seem so, till we know that it's easy to set up your own DoH server [1], then it simply becomes mission impossible for our enterprise IT security Folks.

Just for the record. I'm not suggesting that circumventing DNS infrastructure in Enterprise environment is a good thing, especially when you have consented to stick to their internal rules and regulations. The point that I'm making is how desperate the situation is for those IT security teams facing DoH challenge.

@'Hidden Refuge' did bring up some folks attempts trying to single out DNS traffic over 443 in his 'DNS-over-HTTPS (DoH) can be easily detected and blocked' thread, but I do think they won't get passed the proof-of-concept stage... But we'll see, who knows?.

--------
[1]- A how to set a DoH server is on my list of the upcoming threads in here (unless someone else write it in the meantime.)