There is a lot of buzz about DoH right now. So we thought we’d just join the discussion and educate our loyal users on what all the fuss is about.
First, I’m sure you all know what DoH is — but let’s just spell it out. DoH stands for DNS-over-HTTPS, a standard published by the IETF. DoH can increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Plus it can often improve performance. Sounds pretty good, right?
How does DoH work?
DoH works just like DNS, except it uses Transmission Control Protocol (TCP) to transmit and receive queries. Both take a domain name that a user types into their browser and sends a query to a DNS server to learn the numerical IP address of the web server hosting that site. The key difference is DoH takes the DNS query and sends it to a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53. DoH prevents third-party observers from sniffing traffic and understanding what DNS queries users have run, or what websites users are intending to access. Since the DoH (DNS) request is encrypted, it’s even invisible to cyber-security software that relies on passive DNS monitoring to block requests to known malicious domains.
But DoH isn’t for everyone. Just because some vendors (like Mozilla) may enable DoH by default for users, doesn’t mean you have to use DoH.
Say yes or no to DoH!
Because DoH is configured on the application, the DNS servers configured by the operating system are not used. This means that the protection provided by Cisco Umbrella may be bypassed by applications using DoH. For this reason, Umbrella includes known DoH servers in the “Proxy / Anonymizer” content category. Customers can further improve coverage by also blocking Newly Seen Domains.
Additionally, Cisco Umbrella supports the “use-application-dns.net” domain as defined by Mozilla to prevent Firefox from enabling DoH by default. Note that Firefox will still enable DoH if the user manually configures a DoH server, in which case we recommend taking the steps outlined in the article below.
You can find more information on preventing the circumvention of Cisco Umbrella in our Knowledge Base.
Say yes to better cybersecurity
Most companies leave their DNS resolution up to their ISP. But as more organizations adopt direct internet connections and users bypass the VPN, this leads to a DNS-blind spot. Monitoring DNS requests, as well as subsequent IP connections is an easy way to provide better accuracy and detection of compromised systems, improving security visibility and network protection. If you’re looking for an easy way to protect your users on and off-network, check out Cisco Umbrella.
Umbrella is the fastest and easiest way to protect all of your users enterprise-wide in minutes, and reduces the number of infections and alerts you see from other security products by stopping threats at the earliest point. With no hardware to install and no software to manually update, ongoing management is simple. Don’t believe us? You can monitor your DNS traffic for FREE with DNS Monitoring.
