How to block DoH with BlueCat’s threat feed option

The use of DNS over HTTPS (DoH) is surging. That’s bad news for security admins. If you’re looking to block DOH, BlueCat’s threat feed makes it easy.

DNS over HTTPS (DoH) is a method of encrypting DNS queries that has gained a lot of traction recently. In February 2020, DoH was added as a default setting in the Firefox browser.

Now ordinary users are jumping on the bandwagon. When the pandemic left everyone working from home, BlueCat noticed a 1,500% increase in DoH domain queries across its customer base. That dramatic surge in DoH usage continues to this day.

Opinions vary on the benefits of DoH, but one thing’s for sure: It reduces the visibility of network and security administrators to zero. If you’re charged with protecting a corporate network, you’re probably going to want to prevent users from accessing DoH services across the enterprise.

If you’re using a centralized DNS management platform like BlueCat, it’s easy to block DoH by adding known DoH resolvers to a response policy zone (RPZ). The longer-term challenge is adding any new DoH services that appear in the future to that block list.

BlueCat has made it easy by creating a new threat feed specifically for known DoH resolvers. BlueCat has long used threat feeds to bolster defense-in-depth. To disable DoH across the enterprise, all you have to do is enable this threat feed for DoH in either DNS Edge or DNS Integrity, and you’ll be all set. 

How to deploy the DoH threat feed in DNS Integrity

  1. Log into BlueCat Address Manager.
  2. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you’re on the configuration information page.
  3. Under DNS Views, click a DNS View and then the Response Policy Zones sub-tab.
  4. Under Response Policy Zones, click New and select Response Policy Zone.
  5. Under General, add the name of the response policy zone.
  6. Under Type, select the “BlueCat Threat Protection DoH Public Servers” option and apply other deployment parameters as desired.
  7. Click update.

How to deploy the DoH threat feed in DNS Edge

  1. Log into the DNS Edge user interface.
  2. In the top navigation bar, select Policies.
  3. Select an existing policy that uses the BlueCat Threat Protection domain list, and click Edit.
  4. Select the BlueCat Threat Protection DoH Public Servers option.
  5. Click save and apply.

BlueCat is keeping an eye out for any new DoH resolvers and adding them to the threat feed. As a result, you’re covered even as DoH usage evolves.

Our care portal contains more information about DoH threat feed options, including detailed technical notes. You can also learn more about the pros and cons of DoH in a webinar with BlueCat’s Chief Strategy Officer Andrew Wertkin.

Heading into the cloud?

See how your network can thrive in the complexity of the cloud.

Find answers to all your cloud-related questions.

Access cloud resources

Read more

Cloud Webinar Series: Part 2

Regain control of DDI infrastructure and accelerate delivery of critical DNS services to cloud teams.

Read more
Yes, you can optimize DNS routing for global SaaS use

Routing DNS for SaaS can lead to latency, non-local results, and messy internet breakouts. With BlueCat, optimize SaaS delivery and gain full DNS control.

Read more
Yes, you can tame hybrid cloud DNS traffic jams

Admins often use messy conditional forwarding DNS rules to fill hybrid cloud gaps. With BlueCat, automate and gain control over your data pathways.

Read more
Yes, networking can extend DNS control into the cloud

When cloud and on-premises DNS are separate, enterprise-wide control is out of reach. Learn how BlueCat can provide a single source of truth for DNS.

Read more

Products and Services

From Core Network Services to multicloud management, BlueCat has everything you need to build the network you need.

Learn more