Use Cloud Firewall to disable DNS over HTTPS

更新时间:
复制 MD 格式

DNS over HTTPS (DoH) encrypts DNS queries inside HTTPS connections, bypassing standard firewall inspection. This topic describes the security risks DoH introduces in enterprise environments and how to block DoH traffic using Cloud Firewall's built-in Intrusion Prevention System (IPS) rules.

Security risks of uncontrolled DoH

When DoH is active, DNS queries travel inside encrypted HTTPS connections. Firewalls that rely on inspecting plain DNS traffic cannot see or enforce policies on those queries. This creates two concrete risks:

  • Unauthorized access by employees

    Employees can route DNS queries through encrypted DoH channels, bypassing your access control policies and threat intelligence rules. Domain names your organization has explicitly blocked remain accessible through this path.

  • Malware communication

    Worms and trojans can use DoH to query the originating IP addresses of domain names. Because these queries are encrypted, they evade IPS rules, access control policies, and threat intelligence rules—making malware harder to detect and contain.

Block DoH traffic

Cloud Firewall includes built-in IPS rules that detect DoH traffic. These rules run in Monitor mode by default, which logs matches without blocking them. Switch the rules to Block mode to actively drop DoH traffic.

Prerequisites

Before you begin, make sure you have:

Configure IPS rules to block DoH

  1. Log in to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.

  3. In the Basic Protection rule list, find the DoH-related rules. To filter quickly, select Rule Name from the search dropdown and enter DNS over HTTPS.

  4. Change the mode of the relevant rules from Monitor to Block. You can switch individual rules or all DoH-related rules at once.

Switching a rule to Block mode causes Cloud Firewall to drop matching traffic instead of logging it. Review each rule before switching to confirm it aligns with your security policy.

Verify the result

After switching the rules to Block mode, confirm that the rule status in the list reflects the change. To verify that DoH traffic is being blocked, go to Detection and Response > IPS and review the traffic logs. Blocked DoH requests appear as denied entries associated with the DNS over HTTPS rules you enabled.