Configure Web Browsers and DNS over HTTPS Default

Introduction

This document describes how to configure web browsers and DNS over HTTPS default for Cisco Umbrella.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco Umbrella.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Overview

Beginning in version 63 of Firefox, Mozilla can enable DNS-over-HTTPS (DoH) by default for Firefox users. This sends DoH to CloudFlare, which can bypass your Umbrella settings. In order to preserve your Umbrella settings, complete the steps later in this article.

Affected Firefox users see this banner when DoH is enabled by Firefox:

1.jpg

In recent versions, Chrome also makes DoH available as a manual configuration. Chrome DoH can only activate when the system DNS servers present on a system explicitly support DoH. Therefore, Roaming Client users or networks with local DNS servers do not see Chrome DoH enabled.

Defaulting to System DNS while Using Umbrella

For the majority of Umbrella users, no action is required at this time. Firefox supports the use of a special domain, use-application-dns.net, to indicate the presence of a DNS filtering solution, such as Cisco Umbrella. If the Umbrella resolvers are being used by the client, then Firefox does not enable DoH by default.

However, if a user has manually configured DoH in Firefox, Firefox respects that configuration and uses the DoH server defined. In such a situation, you need to complete the additional instructions later in this article in order to prevent the use of DoH by users on your network.

According to the release of Chrome 83: "Chrome will automatically switch to DNS-over-HTTPS if your current DNS provider supports it". 

Additional Instructions to Block DNS-over-HTTPS

To protect your Umbrella deployment, Umbrella has now included DoH providers into the Proxy/Anonymizer content category. When this category is blocked, the browser fails to resolve the hostname of the DoH server and reverts to standard system DNS where Umbrella is covering your DNS. To ensure that your settings block DoH providers:

1. Navigate to Policies > Content Categories.

2. Select your in use category setting.

3. Ensure that Proxy/Anonymizer is selected.

1.jpg

4. Save your updates.

Your users can now remain covered by Umbrella when Firefox rolls out this change to your users.

Note: Do not add the Mozilla Kill Switch domains to the block list. This is because if the domains are blocked, Umbrella returns an A-record for our block pages. Firefox considers this a valid response and can therefore auto-upgrade its DoH.

Additional Recommendations

Firefox can also be configured manually for a specific DoH provider. If this is configured by domain, it is enforceable by Umbrella. Configurations by IP cannot be enforceable by Umbrella (DNS). For on network enforcement of DoH, firewall rules can be required. For reference, see Preventing Circumvention of Cisco Umbrella with Firewall Rules.