Cannot bypass Google sites using WSS Agent
search cancel

Cannot bypass Google sites using WSS Agent


Article ID: 263232


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Users accessing internet via Cloud SWG using WSS Agents.

Despite bypassing sites, Cloud SWG reporting indicates a huge volume of requests into these sites as shown below:


Only seems to impact local users that are configured to send DNS traffic into Google DNS servers.


WSS Agents on Windows and MacOS.

Chrome browsers.


QUICK protocol enabled.


WSS Agent cannot snoop on DNS A responses to determine whether domain needs to be bypassed.


If using Google DNS servers, disable QUIC and DNS over HTTPS protocols for DNS resolution, and make sure that DNS A records are visible on the wire.

Else use a local DNS server that sends back A records, or send into Cloud SWG DNS proxy service.

Additional Information

WSS Agent must be able to snoop DNS responses in order to verify whether domain bypassed apply to outgoing requests.

With DNS-over-HTTPS (DoH), the DNS requests are encrypted and cannot be viewed on the wire. After initially disabling DoH on the WSS Agent host, we still had the issue and found that client was using QUIC protocol for resolution ..

With QUIC protocol, DNS requests into Google are also not seen by the WSS Agent, and cannot be bypassed successfully. The following interaction shows the DNS requests to Google DNS service, which are not standard DNS A records that the Agent is parsing for:

Disabling QUIC addressed the issue.

An alternative to this would be to send DNS requests to a local DNS server, into into Cloud SWG for resolution with the DNS proxy solution - APIs are available to push Split DNS directives out to the WSS Agents, so that they send their DNS traffic into Cloud SWG and not to a local DNS server.

Who is considering DoH?

Mozilla Firefox

What’s next in making Encrypted DNS-over-HTTPS the Default

Configuring Networks to Disable DNS over HTTPS


Google to Experiment 'DNS over HTTPS' (DoH) Feature in Chrome 78