¶ Introduction
As Managed Service Providers (MSPs) strive to enhance network security for their clients, blocking encrypted DNS traffic such as DNS over HTTPS (DoH) and DNS over TLS (DoT) has become crucial. These protocols, while enhancing privacy and security for end-users by encrypting DNS queries, can bypass traditional security controls, making network monitoring and threat detection more challenging. Exium’s SASE (Secure Access Service Edge) solution offers a robust approach to manage and control DNS traffic effectively.
¶ Understanding DoH and DoT
DNS over HTTPS (DoH) and DNS over TLS (DoT) are protocols designed to increase user privacy and security by encrypting DNS queries.
- DoH encrypts DNS queries by sending them over the HTTPs port (443), making it difficult to identify and block using traditional methods.
- DoT uses port 853 for its encrypted DNS queries, allowing easier identification and blocking via firewall settings.
¶ Importance of Blocking DoH and DoT
Blocking DoH and DoT is important for several reasons:
|
Network Visibility |
Threat Management |
Policy Enforcement |
|---|---|---|
| By redirecting DNS queries through these protocols, users can bypass DNS-based blocking filters, reducing network administrators' visibility into the traffic. | Many security tools rely on DNS queries to identify suspicious activity. Encrypted DNS traffic can obscure these signals, hindering threat detection. | Encrypted DNS can bypass organizational policies, potentially leading to security and compliance issues. |
¶ Exium's SASE Solution
Exium offers a comprehensive solution to help MSPs manage DNS traffic, ensuring organizational policies and threat management strategies remain effective.
¶ Blocking DNS over TLS (DoT)
Exium's SASE platform allows for straightforward blocking of DoT traffic by creating firewall policies to block outgoing traffic on port 853:
- Access SASE Firewall Settings: Log into the partner admin console and navigate to the company workspace.
- Activate “Tunnel All Traffic”: For remote users, this option ensures that all traffic, including DoT, is funneled through the network's security measures.
- Local Gateway Configuration: For sites using Cyber Gateways, blocking can be done directly via local firewall policy configuration without needing to tunnel all traffic.
¶ Blocking DNS over HTTPS (DoH)
Blocking DoH is more complex due to its use of port 443, which is also used for standard HTTPS traffic. Exium addresses this by:
- Domain-based Blocking: Exium is developing a list of known DoH providers and enables MSPs to block these domains through a one-click policy configuration. This allows blocking DoH traffic without affecting regular HTTPS usage.
- Ease of Implementation: The policy configuration through Exium’s SASE platform is user-friendly, allowing MSPs to quickly adapt to emerging threats.
¶ Configuring Firewall Rules to Block DoT
Access the Partner Admin Console: Begin by logging into the partner admin console.
Navigate to the Company Workspace: Once logged in, go to the designated workspace for your company.
Activate “Tunnel All Traffic”: Follow the steps in the linked guide to ensure all traffic is tunneled through the network. This setting is crucial for monitoring and blocking encrypted DNS traffic.
Open Zero-Trust Policies: In the menu, click on Zero-Trust Policies to view and manage security policies.
Create a New Rule: Select "Rules" from the left menu-bar and then click on “Add Rule” to initiate the process of configuring a new firewall rule.
Input Rule Details: Enter the necessary information as shown in the accompanying screenshot to set up the rule for blocking DoT.
Save the Rule: After providing the required input, click “Save” to establish the new policy.
Configure Local Firewall Rules: You can also set up local firewall rules at sites with Cyber Gateways to block DNS over TLS (DoT) effectively.
¶ Conclusion
Exium’s SASE solution empowers MSPs with advanced tools to block DoH and DoT effectively, ensuring that DNS traffic remains secure and transparent. By adopting these measures, MSPs can enhance their security posture, maintain network visibility, and enforce organizational policies efficiently. With Exium, you’re not just managing traffic—you're securing it.