Proxy administrators would like to determine if how to properly block inbound DOH (DNS-over-HTTPS) requests via Edge SWG (formerly ProxySG) devices.
To ensure blocking this traffic is successful, the following steps should be conducted:
; * * * * Policy to Disable DoH handoff for any client request ***
<Proxy>
http.dns_handoff(no)
; * * * * END POlicy to Disable DoH handoff for any client request ***
CPL Syntax Reference(s)
Alternatively, you can also utilize the Application Classification categorization related to DoH in policy as well.
Example: Set up a new VPM "Web Request Layer" rule that blocks all requests matching the "DNS over HTTPS" application group attribute.
As of the date of publication for this article, the services included in above group consist of: