What's the problem?
Some browsers and devices (such as Android) provide DNS over HTTPS (DoH) or DNS over TLS (DoT) to encrypt the DNS communications between the device and the DNS provider. When DoH or DoT are enabled on a device, some DNS-based blocking rules in Firewalla may not work as expected allowing users to circumvent some Rules you put in place. For example:
- Family Protect
- Ad Block
- Rules that are marked as "Domain-only" instead of "Default"
Other Rules, such as those under the device like porn block will react slower, but will still block. Examples:
- Domain rules that are marked as "Default" instead of "Domain-only"
- IP/Port and regional rules
- Porn/Gaming blocks
Solution
Ensuring that the rules you put in place are followed can be very important. Here are solutions to making sure devices follow the Rules you put in place in your Firewalla:
- Turn off the DoH/DoT feature on browsers and devices where you can.
- If you cannot do that, for example, if some devices are out of your direct control, a workaround is to create a Rule in the Firewalla app to block the DoH/DoT servers. This rule will force devices to use the DNS you directed in Firewalla which in turn, ensures Rules are in place and are processed efficiently.
Create a blocking rule using our curated Target List called "DoH Services," and apply the rule to any device(s) that you want to ensure do not use these services as shown below.
- Use Family Protect Native mode and enable blocking DoH Services to automatically block devices from using external DoH services.
If you want to allow a particular DoH Service, you can use Firewalla's DoH feature.
Important notes
- Chrome and Microsoft Edge will NOT be able to access any websites if DoH/DoT is enabled in browsers and DoH/DoT servers are blocked by Firewalla.
- Firefox will fall back to plain-text DNS if DoH/DoT servers are blocked by Firewalla.
Comments
0 comments
Please sign in to leave a comment.