Understanding and Managing DNS over HTTPS (DoH) Blocklists: A Comprehensive Guide

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries, enhancing user privacy and security. However, this encryption also presents challenges for network administrators and security professionals who may need to monitor and control DNS traffic. This often leads to the need for DoH blocklists – mechanisms to identify and potentially block DoH requests originating from or destined for specific services or servers.

Why Block DoH?

While DoH offers significant benefits, there are legitimate reasons why organizations might choose to block or manage DoH traffic:

• Security Concerns: Blocking DoH can prevent malicious actors from using encrypted DNS to bypass security measures like firewalls and intrusion detection systems. It allows for easier monitoring of DNS activity for threat detection.
• Compliance and Auditing: Many organizations are subject to regulatory compliance requirements that necessitate logging and monitoring of network traffic, including DNS queries. DoH’s encryption complicates this process.
• Network Management: Organizations might need to control DNS resolution for internal resources, such as internal websites or servers. DoH, if unmanaged, could bypass internal DNS servers and lead to inconsistencies.
• Data Loss Prevention (DLP): Preventing sensitive data from leaving the network is crucial. DoH could facilitate data exfiltration if not properly monitored and controlled.
• Parental Controls: Some organizations or individuals might use DoH blocklists as a means to control access to inappropriate or harmful content through DNS filtering.

How DoH Blocklists Work?

DoH blocklists typically operate by identifying and blocking DNS requests that use specific DoH server addresses or utilize specific characteristics associated with DoH traffic. These methods can include:

• IP Address Blocking: Blocking the IP addresses associated with known DoH providers (like Cloudflare's 1.1.1.1 or Google's 8.8.8.8 when using DoH).
• Port Blocking (Port 443): While not specific to DoH, blocking port 443 (HTTPS) can inadvertently disrupt DoH traffic along with legitimate HTTPS communication. This is generally not recommended as it's too broad.
• Deep Packet Inspection (DPI): DPI examines the content of network packets to identify DoH traffic based on patterns and characteristics. This is a more advanced technique that requires specialized tools and resources.
• DNS Protocol Inspection: Examining the DNS queries themselves to identify DoH requests based on their structure and the use of HTTPS.

Challenges and Considerations

Implementing DoH blocklists isn't without its challenges:

• Bypass Techniques: Users can employ various methods to circumvent DoH blocks, such as using VPNs or alternative DoH providers.
• False Positives: Aggressive blocking methods might inadvertently block legitimate HTTPS traffic.
• Performance Impact: Implementing DPI or other complex blocking methods can impact overall network performance.
• Privacy Concerns: Blocking DoH might be seen as a violation of user privacy, especially if not transparently communicated.
• Maintaining Updated Blocklists: DoH providers and IP addresses can change frequently. Keeping blocklists up-to-date is crucial for effectiveness.

Best Practices

If you need to manage or block DoH, consider these best practices:

• Targeted Approach: Avoid broad blocking of HTTPS. Focus on specific DoH providers or use DPI only when necessary and with caution.
• Regular Updates: Keep your blocklists updated to reflect changes in DoH providers and their IP addresses.
• Transparency and Communication: Be transparent with your users about your DoH policies.
• Consider Alternatives: Explore alternative approaches, such as DNS-based security solutions that allow for secure DNS traffic while maintaining monitoring and control.
• Monitor and Evaluate: Regularly monitor the effectiveness of your DoH blocking strategies and make adjustments as needed.

Implementing DoH blocklists requires careful consideration of the trade-offs between security, privacy, and network performance. A well-planned and carefully executed strategy is essential for maximizing benefits while minimizing disruptions.