DNS-over-HTTPS(DoH) on ProxySG without SSL decryption
Article ID: 404239
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
We run SGOS 7.3.x as Explicit Forwarding proxy, without SSL decryption. Can Edge SWG(ProxySG) in this deployment detect and block DNS-over-HTTPS (DoH)?
Resolution
DNS-over-HTTPS (DoH) encrypts DNS queries inside HTTPS traffic. Since you're running EdgeSWG(ProxySG) in explicit forwarding mode without SSL decryption, the appliance cannot inspect the encrypted payload to identify DoH requests. That means:
- DoH traffic looks like regular HTTPS to ProxySG.
- You cannot apply application-layer policies (like blocking application/dns-message MIME types).
- CPL rules like http.dns_handoff(no) won’t apply, because they require visibility into the HTTPS stream.
| Feature | Available Without SSL Decryption? |
|---|---|
| Detect DoH traffic | ❌ |
| Block DoH via CPL | ❌ |
| Use Application Classification (e.g. “DNS over HTTPS” app group) | ❌ |
| Block known DoH domains by hostname | ✅ (but limited effectiveness) |
To fully detect and block DoH:
- Enable SSL interception for known DoH domains.
- Use CPL rules like http.dns_handoff(no) to disable DNS handoff.
- Leverage Application Classification to block the “DNS over HTTPS” app group
You can also refer to Method for blocking DNS-over-HTTPS (DoH)
Feedback
Yes
No
Powered by
