Upcoming Browser DNS Changes (DNS-Over-HTTPS)

Created by Jens Almer
Sept 26, 2019
2 min read

Starting in late September, Mozilla Firefox will by default enable DNS over HTTPS (DoH). Google Chrome will also implement DoH by default if you already use a DNS service providing DoH such as Google's 8.8.8.8. The main merit behind this change is to encrypt and protect DNS traffic along the network path between the client and the DNS service provider. DNS traffic provides a good visibility in to the sites users connect to. While this change can be seen as good for user privacy and in line with recent pushes over the past few years to encrypt as much internet traffic as possible, there are some drawbacks as implemented by these browsers:

  • DNS traffic will by default be concentrated toward large providers such as Cloudflare and Google, perhaps reducing user privacy

  • Departs from the standard method of applications using operating system DNS settings

  • Ignores DNS servers offered by the network

  • Sidesteps protections put in place by the systems administrators to block traffic to sites determined by threat intelligence

  • Causes problems and inconsistencies using internal network resources

Because of these factors, OIT has implemented group policies to disable DoH in these browsers for all managed systems. In addition, OIT will be adding a record to the campus DNS service that instructs browsers to not use DoH, instead favoring DNS servers configured in the operating system.

While we believe this will provide continued reliable service, there is still a possibility that in some scenarios there will be problems accessing internal campus services. In this case, please contact LPT for assistance in diagnosing the issue.

For additional information, you can read the advisory published by REN-ISAC.