Firefox and DNS over HTTPS = No Content Filter
Ally Member
With Firefox rolling out DNS over HTTPS (DoH) for all US users, your USG content filter is about to become useless for Firefox users.
Hopefully, Zyxel will add some functionality to allow the USG/ATP boxes to respond to various 'pings' the browsers do to see if DNS filtering is being used. But until then, for Firefox anyway, they have a setup called a canary domain that Firefox queries and if it returns an error, they will NOT turn DoH on.
Basically you need a CNAME for use-application-dns.net that goes to ... nothing (basically a target of . )
But in the USG DNS settings where you can specify CNAMEs, the field checks make this a little tricky. So what I did was use *.use-application-dns.net as the CNAME alias and localhost as the target. When I did a DNS query, I got an empty NOERROR reply (ie no A or AAAA record), which according to Firefox is one of the tests (see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet). SO basically if you query use-application-dns.net and no IP (v4 or v6) is returned, it'll keep DoH off (unless the user manually turns it on).
I did a 'refresh' on Firefox and DoH didn't trigger but not sure how quickly Firefox is rolling this out. I'm going to test more, but can't hurt to add this to your USGs and ATPs now to be safe.
Obviously, if you have a domain, the best way to keep DoH disabled is to use group policies.
Good discussion here: https://www.reddit.com/r/sysadmin/comments/dbs1ew/canary_domain_to_disable_firefoxchrome_doh/
Comments
-
I don't think DoH will bypass the content filter.
As I know, Zyxel USG content filter is inspect the HTTP request and SNI in HTTPs TLS client hello message. Not using DNS filter technology like Cisco OpenDNS.
2 -
Good to know. Did not realize that. But I wonder how that's fairing with ESNI and services like CloudFlare. Do they use DNS as a fallback?
Is there a whitepaper on how CF v2.0 works on the USGs in terms of what methods they are using and which may be prone to bypass as things like ESNI and DoH deploy?
Definitely time to ramp up some testing...
1 -
Yes. The new TLS1.3 and HTTP/3 will be a challenge for firewall vendors.
It's a double-edged sword. Protects the Internet privacy but lose the security control.
Look like install security control software on endpoint is the easy way to block, compares to inspect on network traffics.
0
Master Member
Categories
- All Categories
- 388 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 913 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 330 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 871 Nebula FAQ
- 412 Security FAQ
- 220 Switch FAQ
- 193 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight
