DNS-over-HTTPS and Netsweeper

Industry players such as Google and Mozilla (Firefox browser) are planning to implement DNS-over-HTTPS. This concerns organizations who filter illegal internet content like child sexual abuse imagery.

The Internet Services Providers Association (ISPAUK) claimed that Mozilla plans to support DNS-over-HTTPS “in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”

The DNS-over-HTTPS protocol works by sending requests via an encrypted HTTPS connection, rather than the classic plaintext UDP requests in standard DNS. Not only is the request encrypted, but the DoH protocol also works at the app level rather than the OS level. These connections occur between a browser/app and a secure DoH-compatible DNS server.

This new protocol is a dream for privacy advocates. It’s a nightmare for governments, ISPs, and makers of network security solutions.

How Does DoH Affect Netsweeper?

DNS-over-HTTPS affects how a web browser translates a domain name into an IP address. It’s a necessary part of today’s internet. HTTP/HTTPS web traffic will still flow the same as it would without DNS-over-HTTPS. They are two different types of communication a web browser uses to access websites.

Proxy-based web filtering makes up most deployments. Web filtering for proxy-based education deployments looks at the HTTP/HTTPS web traffic. It does not look at the DNS traffic. This means that DNS-over-HTTPS does not affect filtering. There are considerations for operator/service providers using Netsweeper’s DNS-based filtering solution, but Netsweeper’s DNS filtering solution also handles DNS-over-HTTPS.

In Summary

  • Netsweeper’s DNS solution operates as a DNS server, and includes support for DNS-over HTTPS communication with client applications
  • This means that the filtering policy can be applied even when using this new DNS standard that ensures enhanced security and privacy
  • Our ability to receive and respond to DNS requests will remain unaffected, so long as the filtered device is not using a browser (or other application) that disregards Operating System DNS settings in favor of other DNS services

Netsweeper is confident that DNS-over-HTTPS will not disrupt its filtering. Future developments in internet security need further innovation. The internet user community continues to demand more protection against snooping and malicious “actors.”