How to block DoH with BlueCat’s new threat feed option

BY Ben Ball

DNS over HTTPS (DoH) is a method of encrypting DNS queries which has gained a lot of traction recently.  In February 2020, DoH was added as a default setting in the Firefox browser.  Now ordinary users are jumping on the bandwagon – when everyone started working from home, we noticed a 1500% increase of DoH domain queries across our customer base.  That dramatic surge in DoH usage continues to this day.

Opinions vary on the benefits of DoH, but one thing’s for sure:  it reduces the visibility of network and security administrators to zero.  If you’re charged with protecting a corporate network, you’re probably going to want to prevent users from accessing DoH services across the enterprise

If you’re using a centralized DNS management platform like BlueCat, it’s easy to block DoH by adding known DoH resolvers to a response policy zone (RPZ).  The longer-term challenge is adding any new DoH services that appear in the future to that block list.

So we decided to make it easy by creating a new threat feed specifically for known DoH resolvers.  To disable DoH across the enterprise, all you have to do is enable this threat feed in either DNS Edge or DNS Integrity, and you’ll be all set.  We’ll keep an eye out for any new DoH resolvers and add them to the threat feed, keeping you covered even as DoH usage evolves.

How to deploy the DoH threat feed in DNS Integrity

  • Log in to BlueCat Address Manager
  • Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you’re on the configuration information page
  • Under DNS Views, click a DNS View then the Response Policy Zones sub tab
  • Under Response Policy Zones, click New and select Response Policy Zone
  • Under General, add the name of the response policy zone
  • Under Type, select the “BlueCat Threat Protection DoH Public Servers” option and apply other deployment parameters as desired
  • Click update

How to deploy the DoH threat feed in DNS Edge

  • Log in to the DNS Edge user interface.
  • In the top navigation bar, select Policies.
  • Select an existing policy that uses the BlueCat Threat Protection domain list, and click Edit
  • Select the BlueCat Threat Protection DoH Public Servers option
  • Click save and apply

Our care portal contains more information about DoH threat feed options, including detailed technical notes.

Learn more about the pros and cons of DoH in a webinar with BlueCat’s Chief Strategy Officer Andrew Wertkin.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball