Users using WSS Agent to access internet sites via Cloud SWG.

SAML authentication enabled on Cloud SWG.

A handful of macOS users report seeing a blank popup page appear for SAML authentication without any prompt or error message.

A handful of users report DNS bypasses are failing.

A handful of users reporting that accessing segment based applications fail when integrating with ZTNA due to DNS resolution failures.

All hosts experiencing issue have DoH enabled and going to some well known DoH sites like 8.8.8.8, 8.8.4.4 or 9.9.9.9 as examples.

Switching DNS to a local DNS server addresses the issue.

WSS Agent on macOS.

WSS Agent on Windows.

DNS over HTTPS (DoH), DNS over QUIC (DoQ), or DNS over TLS (DoT) enabled on host.

WSS Agent must see DNS A/AAAA response for authentication, DNS rewriting or domain bypass decision events.

With secure DoH enabled, all DNS responses returned to the WSS Agent host are via an encrypted channel and are not visible to the agent.

A number of options exist on the host side to address this issue.

• firewall changes on client or network could be activated to block DoH requests over TCP 443, DoQ requests over UDP 443 or DNS over TLS (DoT) over TCP 853. A list of the most common DoH, DoQ and DoT sites are published here.
  
  
  • DoH failures often trigger fallback to DoQ or DoT instead of using UDP 53.
    
    
• 3rd party firewalls (macOS) or Windows inbuilt firewall on the host can be enabled to complete this task. Anyone running Symantec's Web and Cloud Access Protection Agent can push a firewall policy to the host to get a seamless solution to above problem.
  
  
• If no 3rd party firewalls exist on the macOS host, the native in-built Packet Filter (pf) firewall can be used to block the above ports. The following steps will block all DoH, DoQ and DoT requests to the most common secure DNS sites referenced above.
  
  • Create a /Library/LaunchDaemons/Scripts/block-doh.sh file with the following content:
    

    #!/bin/bash
    
    DNS_ADDRS="8.8.8.8 8.8.4.4 1.1.1.1 9.9.9.9 9.9.9.10 1.0.0.1 185.228.168.9 185.228.169.9 185.228.168.168 185.228.169.168 185.228.168.10 185.228.169.11 94.140.14.14 94.140.15.15 94.140.14.15 94.140.15.16 94.140.14.140"
    
    for i in ${DNS_ADDRS}; do 
    cat << EOF
    block out proto tcp to ${i} port 443
    block out proto udp to ${i} port 443
    block out proto tcp to ${i} port 853
    EOF
    done | cat /etc/pf.conf - | /sbin/pfctl -Ef -
    killall mDNSResponder

  • Set this block-doh.sh script as executable (chmod +x /Library/LaunchDaemons/Scripts/block-doh.sh)
  • Create a file called com.broadcom.block-doh.plist with the following content in /Library/LaunchDaemons
    
    

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.broadcom.block-doh</string>
        <key>RunAtLoad</key>
        <true/>
          <key>Program</key>
          <string>/Library/LaunchDaemons/Scripts/block-doh.sh</string>
    </dict>
    </plist>

    
    This script will also be run automatically on reboot
    
    NOTE: Profiles / policies may be pushed to the client host locking down network settings and preventing the enablement of DoH: An example of such an event would be to block user ability to change the host DNS server, or to allow browser DNS security setting change to enable DoH.