Netskope and DNS over HTTPS (DoH): Understanding Blocking Capabilities and Implications

The rise of DNS over HTTPS (DoH) presents both opportunities and challenges for organizations seeking to maintain network security and control. DoH encrypts DNS queries, making it difficult for traditional network security solutions, like firewalls, to inspect and control DNS traffic. This directly impacts the effectiveness of security tools like Netskope, which often rely on inspecting DNS requests for threat detection and prevention.

How Netskope Addresses DoH

Netskope employs several techniques to address the challenges posed by DoH. While it can't directly decrypt DoH traffic (as that would require breaking encryption), it utilizes indirect methods to gain visibility and control:

• DNS Inspection at the Network Level (when possible): Where possible, Netskope will still attempt to inspect DNS requests *before* they are encrypted via DoH. This depends on network configuration and whether DoH is enforced on the client-side or can be overridden at the network level.
• Client-Side Agent Integration: Netskope's client agents can provide insight into the DNS queries being made, even when DoH is used. These agents work by monitoring the application layer traffic, not just the network level, and can report on the domains contacted. This allows Netskope to identify malicious or unauthorized domains based on its threat intelligence database, even without fully intercepting the DNS traffic itself.
• Cloud-Based Threat Intelligence: Netskope’s cloud-based security platform utilizes extensive threat intelligence to identify malicious domains or IPs being accessed, even if they are discovered through DoH. This allows Netskope to alert administrators about suspicious activity without directly blocking the DoH traffic.
• Integration with Other Security Tools: Netskope can integrate with other security tools, such as Secure Web Gateways (SWG), to achieve a layered approach to security. While DoH might bypass some inspection points, the SWG can still examine the encrypted connection for malicious content.
• Policy Enforcement: While it cannot block DoH requests directly in all scenarios, Netskope can enforce policies based on the data it gathers via client-side agents or from other security tools integrated with the platform. This might include blocking access to specific websites or applications discovered via the indirect observation of DoH traffic.

Limitations of Netskope's DoH Blocking

It's crucial to understand that Netskope cannot fully 'block' DoH in all cases. The encryption inherent to DoH limits the extent of direct inspection. Therefore, some limitations exist:

• Encrypted DNS Queries: The primary limitation is the encryption itself. Netskope cannot decrypt and inspect the content of DoH requests without compromising the user's privacy.
• Client-Side Control: If DoH is configured directly on the client device (e.g., in a browser setting), and not at the network level, Netskope's ability to influence or block DoH is significantly reduced. This is because the client directly communicates with the DoH resolver, bypassing network-level controls.
• Bypassing Security Controls: Malicious actors could potentially use DoH to evade some network security controls, albeit with reduced effectiveness, as Netskope will likely still identify malicious websites accessed via DoH using its threat intelligence features.

Best Practices for Managing DoH with Netskope

To maximize the effectiveness of Netskope in an environment where DoH is used, consider these best practices:

• Deploy Netskope Client Agents: Client agents are essential for providing visibility into DNS queries, regardless of whether DoH is being used.
• Integrate with other Security Tools: Leverage the integration with SWGs and other security solutions to achieve layered protection.
• Enforce Strong Security Policies: Develop and enforce robust security policies based on the insights gathered by Netskope.
• Regularly Update Threat Intelligence: Ensure that Netskope's threat intelligence database is up-to-date to identify the latest threats.
• Monitor and Analyze Logs: Regularly review security logs to identify potential threats and assess the effectiveness of security controls.
• Consider Network-Level Controls (if possible): If your network configuration allows, consider implementing network-level controls to influence or manage DoH usage, complementing Netskope’s capabilities.

In conclusion, while Netskope cannot completely block DNS over HTTPS in all scenarios, it provides valuable insights and tools to manage the risks associated with DoH. A layered security approach combining Netskope with other security tools and effective policies remains the most robust way to secure your organization's network even in the presence of encrypted DNS traffic.