How to block DoH with BlueCat’s new threat feed option

DNS over HTTPS (DoH) is a method of encrypting DNS queries which has gained a lot of traction recently.  In February 2020, DoH was added as…

DNS over HTTPS (DoH) is a method of encrypting DNS queries which has gained a lot of traction recently.  In February 2020, DoH was added as a default setting in the Firefox browser.  Now ordinary users are jumping on the bandwagon – when everyone started working from home, we noticed a 1500% increase of DoH domain queries across our customer base.  That dramatic surge in DoH usage continues to this day.

Opinions vary on the benefits of DoH, but one thing’s for sure:  it reduces the visibility of network and security administrators to zero.  If you’re charged with protecting a corporate network, you’re probably going to want to prevent users from accessing DoH services across the enterprise

If you’re using a centralized DNS management platform like BlueCat, it’s easy to block DoH by adding known DoH resolvers to a response policy zone (RPZ).  The longer-term challenge is adding any new DoH services that appear in the future to that block list.

So we decided to make it easy by creating a new threat feed specifically for known DoH resolvers.  To disable DoH across the enterprise, all you have to do is enable this threat feed in either DNS Edge or DNS Integrity, and you’ll be all set.  We’ll keep an eye out for any new DoH resolvers and add them to the threat feed, keeping you covered even as DoH usage evolves.

How to deploy the DoH threat feed in DNS Integrity

  • Log in to BlueCat Address Manager
  • Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you’re on the configuration information page
  • Under DNS Views, click a DNS View then the Response Policy Zones sub tab
  • Under Response Policy Zones, click New and select Response Policy Zone
  • Under General, add the name of the response policy zone
  • Under Type, select the “BlueCat Threat Protection DoH Public Servers” option and apply other deployment parameters as desired
  • Click update

How to deploy the DoH threat feed in DNS Edge

  • Log in to the DNS Edge user interface.
  • In the top navigation bar, select Policies.
  • Select an existing policy that uses the BlueCat Threat Protection domain list, and click Edit
  • Select the BlueCat Threat Protection DoH Public Servers option
  • Click save and apply

Our care portal contains more information about DoH threat feed options, including detailed technical notes.

Learn more about the pros and cons of DoH in a webinar with BlueCat’s Chief Strategy Officer Andrew Wertkin.

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

Six non-hype network automation lessons from IT pros

Five IT pros get real about network automation during the first Critical Conversation on Critical Infrastructure hosted in the Network VIP community.

Read more
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more

A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.

Read more
BlueCat Overlay for Microsoft

With BlueCat Overlay for Microsoft, get visibility into Microsoft DNS and DHCP servers by relaying information back to your BlueCat Address Manager server.

Read more
ServiceNow

With the ServiceNow Adaptive Plug-in, enable self-service IT requests with automated fulfillment, such as hostname and IP address provisioning.

Read more

Subscribe to our blog