DNSWatch and DNS over HTTPS (DoH) - Chrome

Google Chrome has now changed its default to use DoH - so DNSWatch, and with no DNSWatch, DNS proxy policies, can no longer see the DNS queries when using Chrome on Windows.
Presumably Chrome on other platforms will have their defaults changed too.
What are WG plans to address this potentially large security issue ?

One can see the Chrome option via chrome://flags/#dns-httpssvc

Comments

  • I disable DoH in Chrome and Firefox using group policies on my Windows domains, and I have what you suggested a while back (I added HTTP Response > Content Types with application/dns-message set to Deny) and it block DoH requests even when I don't have it disabled in the browser.

    Gregg Hill

  • edited October 2020

    However, I am looking for WG’s perspective on this.
    Without some firewall solution, DNSWatch becomes useless when using Chrome.
    And presumably Firefox and the rest will follow suit sooner or later.

  • I think Firefox also has it enabled now by default. WatchGuard's solution could be as "simple" as adding HTTP Response > Content Types with application/dns-message set to Deny any time that DNSWatch is enabled...along with big bold text warning that the policy change will be made so it doesn't catch folks off guard.

    Gregg Hill

  • Current DNSWatch does not require HTTPS Inspect.
    Not the best implementation to require it IMHO.

  • @Bruce_Briggs said:
    Current DNSWatch does not require HTTPS Inspect.
    Not the best implementation to require it IMHO.

    Ah, I see your point. I missed it that DPI would need to be on for the DoH packets to be seen due to the "application/dns-message" setting being for HTTP. That kills my idea! I now see that it only works for me because I have DPI enabled at all of my clients.

    Gregg Hill

  • For Chrome, one can also Deny access to domain = dns.google on a HTTPS proxy which would not need Inspect enabled.

    Clearly not a full solution as specific policies would need to be in a config, which is not the case with the current DNSWatch implementation.

    And I still would like to have DNS policies in my config processed prior to XTM intercepting the DNS request and forwarding it out to the DNSWatch servers, as I want to stop certain devices from accessing selected domains and a DNS proxy seems like the best way to me to accomplish this.
    So currently I choose not to have DNSWatch enabled because of this.

  • Hopefully they will add a known DoH server category to block similar to cisco umbrella

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Currently there are two feature requests that are open and being worked on related to this:
    FBX-17047 - Ability to block DNS over HTTPS via Application Control
    DNSW-624 - Ability to block DNS over HTTPS in DNSWatch
    If you'd like to track either, or both, please open a support case and mention the one you'd like to track via a case. The support rep can set that up for you.

    -James Carson
    WatchGuard Customer Support

  • I only allow DNS outbound to certain DNS servers. I use CleanBrowsing.org's DNS servers in my DNS forwarders in my Windows Server 2019 domain controller in my home office, specifically their Adult Filter server IPs of 185.228.168.10 and 185.228.169.11. At my father-in-law's home, I use the same DNS servers in the firewall. I did see denied attempts trying to reach CleanBrowsing.org's DoH servers on different IPs, so that blocked DoH, then I went ahead and disabled it in Firefox and Chrome on his computer so it wouldn't even try it.

    Gregg Hill

Sign In to comment.