How to block DoH with BlueCat’s new threat feed option

DNS over HTTPS (DoH) is a method of encrypting DNS queries which has gained a lot of traction recently.  In February 2020, DoH was added as a default…

DNS over HTTPS (DoH) is a method of encrypting DNS queries which has gained a lot of traction recently.  In February 2020, DoH was added as a default setting in the Firefox browser.  Now ordinary users are jumping on the bandwagon – when everyone started working from home, we noticed a 1500% increase of DoH domain queries across our customer base.  That dramatic surge in DoH usage continues to this day.

Opinions vary on the benefits of DoH, but one thing’s for sure:  it reduces the visibility of network and security administrators to zero.  If you’re charged with protecting a corporate network, you’re probably going to want to prevent users from accessing DoH services across the enterprise

If you’re using a centralized DNS management platform like BlueCat, it’s easy to block DoH by adding known DoH resolvers to a response policy zone (RPZ).  The longer-term challenge is adding any new DoH services that appear in the future to that block list.

So we decided to make it easy by creating a new threat feed specifically for known DoH resolvers.  To disable DoH across the enterprise, all you have to do is enable this threat feed in either DNS Edge or DNS Integrity, and you’ll be all set.  We’ll keep an eye out for any new DoH resolvers and add them to the threat feed, keeping you covered even as DoH usage evolves.

How to deploy the DoH threat feed in DNS Integrity

  • Log in to BlueCat Address Manager
  • Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you’re on the configuration information page
  • Under DNS Views, click a DNS View then the Response Policy Zones sub tab
  • Under Response Policy Zones, click New and select Response Policy Zone
  • Under General, add the name of the response policy zone
  • Under Type, select the “BlueCat Threat Protection DoH Public Servers” option and apply other deployment parameters as desired
  • Click update

How to deploy the DoH threat feed in DNS Edge

  • Log in to the DNS Edge user interface.
  • In the top navigation bar, select Policies.
  • Select an existing policy that uses the BlueCat Threat Protection domain list, and click Edit
  • Select the BlueCat Threat Protection DoH Public Servers option
  • Click save and apply

Our care portal contains more information about DoH threat feed options, including detailed technical notes.

Learn more about the pros and cons of DoH in a webinar with BlueCat’s Chief Strategy Officer Andrew Wertkin.

Subscribe to our blog

Get in touch

We’re the DDI provider you’ve been looking for.
Drop us a line and let’s talk.

Read more

Webinar: Cloud Discovery & Visibility

Brian Shorland, BlueCat’s Director of Product Management, walks our webinar guests through a demo of our Cloud Discovery & Visibility feature.

Read more!
Tales from the Edge: DNS is so much more than a phone book

A conversation on Edge and enterprise use cases with BlueCat’s Chief Strategy Officer, Andrew Wertkin, and podcast hosts Stephen Spector, & Rob Hirschfeld.

Read more!
Cloud Discovery & Visibility Demo

Advanced DDI capabilities & visibility for your multi-cloud & private cloud environments

Read more!
GAO report shows how difficult IPv6 migrations really are

How difficult are IPv6 migrations? A recent GAO report on DOD’s transition plan provides some sobering conclusions.

Read more!