Introduction
This document describes a notification for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) services.
For devices configured to use Umbrella for DoH and DoT
An issue has been reported where Umbrella can close the connection for devices sending multiple DoH/DoT requests over a single TCP connection. While only some DoH/DoT client implementations are affected by this, the issue is on the Umbrella-side and is considered a high priority for our team to address, as it can affect device connectivity and web browsing.
For short-term relief of devices configured to discover services using Discovery of Designated Resolvers (DDR), including but not limited to those running the Apple iOS 16 Beta, we are temporarily adjusting our DDR records to stop advertising DoH support. We are continuing to advertise DNS-over-TLS (DoT) in these records, which is already considered the preferred transport for encrypted DNS. We are continuing to fully support and accept DoH connections during this temporary measure.
We plan to re-add DoH to our DDR records as soon as we are confident that these issues have been resolved.
These issues only affects devices configured to query Umbrella using DoH and DoT either directly or through discovery (DDR), and does not affect those deployed with the Umbrella Roaming Client, Umbrella Roaming Security Module for AnyConnect, Virtual Appliance, or other device integrations using the DNSCrypt encrypted transport.
Update: Umbrella deployed production improvements for TCP handling, and DDR records for DoH were re-enabled on Friday Oct 7, 2022. DDR records were reverted on Monday Oct 11, 2022 after field reports indicated that some client DoH implementations were still experiencing connection issues. DDR records for DoH remain disabled, pending further investigation.
Feedback