DNS Security Support for DNS Over HTTPS (DoH)

PAN-OS 11.0 and later can now analyze and categorize the DNS payload contained within encrypted DNS traffic requests to DNS hosts using HTTPS (DoH—[DNS-over-HTTPS]). If your organization currently blocks all DoH requests as Palo Alto Networks recommends, you can transition away from that policy as DNS Security now enables you extract the DNS hostname from the encrypted request and apply your organization’s existing DNS Security policies. This allows you to safety access more websites as support for DoH widens. DNS Security support for DoH is enabled by configuring the firewall to decrypt the payload of DNS requests originating from a user-specified list of DNS resolvers, providing support for a range of server options. The decrypted DNS payload can then be processed using the Anti-spyware profile configuration containing your DNS policy configuration. DNS requests that have been determined to be DoH are labeled as
in the traffic logs.
Palo Alto Networks also provides the option to block ECH (Encrypted Client Hello), which is a draft state proposal to encrypt the entire ‘client hello’ message. While that offers some data privacy, such as ALPN and SNI, it can also prevent certain firewall services that use the client hello from operating as intended. To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.
  1. Create a Custom URL Category list that includes all DoH resolvers you want to enable traffic to/from (you will need the DNS server URL(s)).
  2. Create a Decryption Policy Rule that references the custom URL category list that you created in the previous step.
  3. Update or create a new anti-spyware security profile used to inspect DoH requests.
    1. (Optional) Block the specified DNS resource record types record types used to exchange keying information during the encryption of the client hello in the subsequent TLS connection. The following DNS RR types are available: SVCB (64), HTTPS (65), and ANY (255).
      • While it is not necessary to block ECH in order to enable DNS Security over DoH, Palo Alto Networks currently recommends blocking all DNS record types used by ECH for optimum security.
      • Type 64 and type 65 resource record standards are still in flux (in a draft state) and are subject to change. For more information on DNS SVCB and HTTPS RRs, refer to: Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) as defined by the IETF.
    2. Click
      to exit the anti-spyware profile configuration dialog and
      your changes.
  4. Create or update a security policy rule and reference an anti-spyware profile with the DNS Security settings and a custom URL category list (
    Custom Objects
    URL Category
    ) containing the approved list of DoH servers.
  5. Create a block policy to decrypt HTTPS traffic and block all remaining unsanctioned DoH traffic that is not explicitly allowed by the custom URL category list (referenced in step 5) by using the App-ID:
    and the following URL category:
    If you already have an existing block policy to block DoH traffic, verify that the rule is placed below the previous security policy rule used to match with specific DoH resolvers listed in a custom URL category list object.
  6. (Optional) Search for activity on the firewall for HTTPS-encrypted DNS queries that have been processed using DNS Security.
    1. Select
      and filter based on the application using
      , for example,
      ( app eq dns-over-https )
    2. Select a log entry to view the details of a detected DNS threat.
    3. The
      should display dns-over-https in the
      pane of the detailed log view, indicating that this is DoH traffic that has been processed using DNS Security. Other relevant details about the threat are displayed in their corresponding windows.

Recommended For You