Tech Tidbit – Do you understand DoH? Steps you need to take now to prevent chaos with your web filtering

June 25th, 2023
Tech Tidbit – Do you understand DoH?   Steps you need to take now to prevent chaos with your web filtering

We have a new technology coming online with all the popular web browsers.  It is called DNS over HTTPS or DoH.   The concept is instead of using your internal DNS to resolve web pages, the web browser goes back to an external DNS site to resolve the page.  The rationale is that this prevents ISPs from tracking your web browser search requests.

In a K-12 setting the concern is that by circumventing your local DNS lookups, you also may circumvent your local web filtering and suddenly be staring at inappropriate content on district devices - which you can't control!    There are a lot of people online expressing exactly these concerns in K-12 as DoH is shredding its web filtering strategies.

Firefox's most current web browser has DoH built-in.  Chrome and Microsoft have announced imminent support for DoH.

Here's what you need to do:

  1. Download the latest Firefox.
  2. Install it on a device that is completely under your normal web filtering policies.
  3. Turn on DoH (a checkbox under Options, Networking).
  4. Browse to bad places (purely for research purposes).
  5. If you can get out, you have a problem.
  6. If you can't, your present filtering strategy should hold up.
  7. Remember to re-test with Chrome and Edge once those vendors release their versions of DoH functionality.
  8. Please report back to me your DoH findings and what web filtering solution you are using.

We know that Cisco Umbrella and Cisco Meraki web filtering absolutely block inappropriate DoH requests.  Free Cisco OpenDNS does not because you lack the ability to legally configure the free version.

If DoH has shredded your web filtering, you need to do the following:

  1. Call Lisa and get a full Cisco Umbrella trial going to shut this down immediately.
  2. Then we can talk through what else you might be able to do with GPOs, etc.
  3. Contact your web filtering vendor and find out how they are going to resolve this for you so that you won't be in violation of COPPA.

Let me know what you find in your DoH testing.