by Paul Adair, Principal Product Manager at Infoblox
Over the last month, both Chromium and The Mozilla Foundation have made significant announcements regarding their go-live plans for DNS over HTTPS (DoH) support in their respective browsers. The good news is that both groups have been specific on what options you have to affect these new configuration options. This blog post will help you understand the impacts to your organization and how to maintain control of your user’s browsing experience.
Why does this matter?
Whether they are on a corporate network, guest Wi-Fi, or a service provider network, users are often assisted by custom DNS solutions. These solutions can protect users from malicious actors, provide access to local services reliably, and block content that is objectionable to the user and network operator. Unintentionally bypassing these solutions may subject users to unexpected risk, break mission-critical applications, or slow down the user experience.
Chromium has posted their design document for DoH publicly here, which will affect all browsers based on the Chromium project. Google Chrome, Microsoft Edge, and Opera represent some of the most common. Much like their implementation of DNS over TLS (DoT) in Android Pie, they are planning on defaulting to an automatic mode that will probe a supported list of operating system configured resolvers for DoH availability and use the configured resolver for DoH only if it’s available. They also plan to observe the DoT settings in Android and behave in a controllable and predictable manner. As DoT resolvers within operating systems continue to mature, we hope to see similar behavior from other major operating systems like Windows, Mac OS X and major Linux distributions.
For most Infoblox customers, Chromium’s changes may not obligate you to make any immediate changes to your resolver or network.
You should read the mozilla foundations announcement here. As you can see from their post, they are taking multiple steps to detect and disable the use of DoH when they deem it necessary. Unfortunately, these methods are not yet proven and may not fit all situations. Some enterprises may not have full control over the browsers installed in their organization. BYOD, work from home, and other policies can also limit an enterprises ability to control the browser settings for 100% of users. Similarly, Service providers have even less influence over the devices on their network.
For Infoblox customers that wish to block unintentional use of Firefox’s new DoH functionality (since that will redirect from the users preferred DNS), we recommend that you implement the following changes to your network:
- Create a local Response Policy Zone record set to use-application-dns.net with a policy of Block (No Such Domain).
- Enterprises that use group policy or similar tools should implement Firefox enterprise policy.
In addition to Chromium and Mozilla specific recommendations, you should review Cricket’s previous thoughts on firewalling unauthorized DNS services in his earlier blog post
If you do choose to follow this route, there is a regularly updated list posted here.
Implementing additional protections against DNS misuse should be considered by all network operators. We hope this article has helped inform your policy updates. At Infoblox, we feel that DNS over TLS is a better choice for the vast majority of users, and is more compatible with the security best practices that Enterprise and Service Provider organizations follow.
If you want to influence how these browsers are configured and encourage proper adoption of encrypted DNS protocols, we encourage you to join us and others in the Encrypted DNS Deployment Initiative at encrypted-dns.org.