Can DNS over HTTPS (DoH) traffic be sinkholed?

8729

Created On 04/29/22 00:00 AM - Last Modified 08/15/24 09:10 AM

DNS

DNS Security

9.1

9.2

10.0

10.2

10.1

11.0

PAN-OS

Question

Can DNS over HTTPS (DoH) traffic be sinkholed?

DNS over HTTPS (DoH) cannot be sinkholed with or without decryption.
The traffic of DoH without decryption looks like TLS/SSL traffic (TCP/443) to the firewall and tagged with the Application-ID of 'SSL'.
With Decryption - DoH needs to be decrypted so that the firewall can see and match the traffic to App-ID ‘dns-over-https’ as opposed to App-ID of 'SSL'.
While DoH sessions are able to be decrypted without loss of functionality the firewall's security engines are not tuned to look for DNS queries in GET or POST of HTTP packets.
While the Palo Alto Networks firewall can identify the application of 'dns-over-https' it can Not perform DNS sinkholing nor supported with DNS security features such as the DNS-Proxy feature.
Once the 'deny' is set for the dns-over-https application ID, the clients should fall back to regular DNS requests, which then these DNS packets (TCP/UDP 53) can be sinkholed.

Best Practice as per "Protecting Organizations in a World of DoH and DoT"
"As a best practice for DoH, we recommend configuring the NGFW to decrypt HTTPS traffic and block DoH traffic with the App-ID ‘dns-over-https’. First, ensure the NGFW is configured to decrypt HTTPS by consulting our guide on Decryption Best Practices."
RFC 8484 (https://datatracker.ietf.org/doc/html/rfc8484)
DNS Queries over HTTPS (DoH)