Method for blocking DNS-over-HTTPS (DoH) client requests via Edge SWG (formerly ProxySG) appliances
search cancel

Method for blocking DNS-over-HTTPS (DoH) client requests via Edge SWG (formerly ProxySG) appliances

book

Article ID: 235423

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Proxy administrators would like to determine if how to properly block inbound DOH (DNS-over-HTTPS) requests via Edge SWG (formerly ProxySG) devices.

Resolution

To ensure blocking this traffic is successful, the following steps should be conducted:

  1. Ensure TLS/SSL interception (decryption) is carried out for all required DoH service provider domains.
  2. Block all DoH handoffs via proxy policy.
    • Add the CPL syntax below via the appliance local file policy (Configuration > Policy > Policy Files -> Install local file from  text editor > install) or a VPM CPL layer:

; * * * *  Policy to Disable DoH handoff for any client request ***
<Proxy>
http.dns_handoff(no)

; * * * *  END POlicy to Disable DoH handoff for any client request ***

CPL Syntax Reference(s)

  • http.dns_handoff() - Enables or disables DNS-over-HTTPS (DoH) handoff of DNS requests to DoH servers.

 

Alternatively, you can also utilize the Application Classification categorization related to DoH in policy as well.

Example: Set up a new VPM "Web Request Layer" rule that blocks all requests matching the "DNS over HTTPS" application group attribute.

As of the date of publication for this article, the services included in above group consist of:

  • Cisco OpenDNS DNS over HTTPS (DoH)
  • Cloudflare DNS over HTTPS (DoH)
  • Google Public DNS over HTTPS (DoH)
  • Quad9 DNS over HTTPS (DoH)