Skip to main content
Cajuntank
Cajuntank
Contributor III
August 28, 2024
Solved

DNS over HTTPS/TLS not getting blocked

  • August 28, 2024
  • 1 reply
  • 5145 views

Was doing some log parsing and came across some traffic flows that had me scratching my head. I have a policy with DPI enabled, but I do have reputable websites with various categories and address objects exempt. I also have a application control profile applied to said policy where I explicitly block DNS over HTTPS and DNS over TLS. 

 

The traffic in question going through that policy shows traffic to dns.google (8.8.8.8) with application of DNS over HTTPS and DNS over TLS as Allowed (again, app control profile has it set to block). My assumption is, that due to my DPI profile having pretty much all things google exempt, this is causing the traffic to pass Allowed. This seems the most logical reason, but just wanted to bounce this out there and get some thoughts if I'm on the right track or there is some other "rabbit hole" I need to go down.

Best answer by Debbie_FTNT

Hey Cajuntank,

if you have configured an exemption for broadly all things Google, then it is indeed very likely the reason that the traffic is allowed. If it's exempted from inspection, that means any subsequent UTM filters do not apply, and the traffic is simply passed through.

You could create another policy above it (specific to DNS and/or DNS via TLS/HTTPS), and apply deep inspection without the exemption, so DNS traffic IS inspected, but other Google-related traffic goes through your current policy and IS exempted.

1 reply

bkrishnan
Staff
bkrishnan
Staff
August 28, 2024

Hello 
I believe that the signature(DNS over HTTPS\TLS) requires "deep-inspection" to identify and perform the action.

    Cajuntank
    CajuntankAuthor
    Contributor III
    August 28, 2024

    Yes, sorry if I wasn't clear on that. When I say DPI, I mean deep packet inspection. So yes, I have deep packet inspection certificate enabled on this policy along with the app control profile blocking DNS over HTTPS/TLS, but since the DNS over HTTPS/TLS is occurring on traffic to a exempt domain (in this instance, google's DNS) in that deep inspection certificate profile, I am thinking this might be why its passing through instead of being blocked. That is the logic I am trying to confirm or if there is something else I might need to look at. I know I can block port 853, but does not help with DNS over HTTPS and I am just wanting to confirm my logic.

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNTAnswer
    Staff & Editor
    August 28, 2024

    Hey Cajuntank,

    if you have configured an exemption for broadly all things Google, then it is indeed very likely the reason that the traffic is allowed. If it's exempted from inspection, that means any subsequent UTM filters do not apply, and the traffic is simply passed through.

    You could create another policy above it (specific to DNS and/or DNS via TLS/HTTPS), and apply deep inspection without the exemption, so DNS traffic IS inspected, but other Google-related traffic goes through your current policy and IS exempted.

    Terms & ConditionsAccessibility statement