(this is a bit of an oversimplification here to explain)
DNS over HTTPS and DNS over TLS.
UDP DNS (the original stuff) can be monitored and managed. DoT can be blocked and force UDP DNS.
DoH uses regular web traffic ports, so it can’t be blocked by admins easily to force an acceptable use policy. It poses risks to enterprise deployments.
Most use UDP DNS (some may use DoT plus another bit called DNSSEC for enhanced security, but it’s really uncommon IMHO).
So Firefox using DoH means it’s problematic for enterprise IT. Now if there are enterprise policies on the PC, it should be disabled in Firefox by default, and there are multiple ways to manage deployments…
But that also translates to extra work for IT vs other options.
Exactly that. And it looks just like any other web traffic.
Quite a few things will use their own DNS servers, not the one specified by the system or handed out over DHCP. I know many apps on the fire stick and Roku devices do this. So you have to intercept their traffic and redirect it to control it. If their using DoH then you can’t do that and your pihole is useless against them.
Best you can do is maintain a list of well known DoH servers and block them outright. But that’s a constantly moving losing battle.
(this is a bit of an oversimplification here to explain)
DNS over HTTPS and DNS over TLS.
UDP DNS (the original stuff) can be monitored and managed. DoT can be blocked and force UDP DNS.
DoH uses regular web traffic ports, so it can’t be blocked by admins easily to force an acceptable use policy. It poses risks to enterprise deployments.
Most use UDP DNS (some may use DoT plus another bit called DNSSEC for enhanced security, but it’s really uncommon IMHO).
So Firefox using DoH means it’s problematic for enterprise IT. Now if there are enterprise policies on the PC, it should be disabled in Firefox by default, and there are multiple ways to manage deployments…
But that also translates to extra work for IT vs other options.
Wait, are you saying there’s a way to tell Firefox to use a different DNS server than what’s specified in the interface configuration?
BTW, thank you for the explanation, makes sense now!
Exactly that. And it looks just like any other web traffic.
Quite a few things will use their own DNS servers, not the one specified by the system or handed out over DHCP. I know many apps on the fire stick and Roku devices do this. So you have to intercept their traffic and redirect it to control it. If their using DoH then you can’t do that and your pihole is useless against them.
Best you can do is maintain a list of well known DoH servers and block them outright. But that’s a constantly moving losing battle.
Right, it just downed on me that DNS is nothing more than another application layer in the OSI model. Thanks again!