How Encrypted DNS Is Used to Bypass Content Filtering Services

Aug 11, 2021
Daniel Cid(@dcid)
Introduction

Encryption is a powerful tool that transforms readable information into an unreadable format, providing significant benefits for security and privacy. However, for parents and network administrators working to maintain family-friendly or policy-compliant internet environments, encrypted DNS technologies present a growing challenge.

This article focuses specifically on how encrypted DNS is being leveraged to circumvent content filters, and what steps can be taken to address it.

The Browser and OS Encryption War

DNS was originally designed as an unencrypted communication protocol, similar to how early HTTP sent web traffic in plain text. As concerns about ISP surveillance and government monitoring grew, efforts to encrypt DNS communication accelerated.

Two primary protocols emerged from these efforts:

  • DNS-over-TLS (DoT): Encrypts DNS queries using TLS on a dedicated port (853).
  • DNS-over-HTTPS (DoH): Encrypts DNS queries within standard HTTPS traffic on port 443.

The critical difference is that traditional DNS operated at the system or network level, where administrators had control. The new encrypted protocols introduced browser-level DNS options. DoH is particularly challenging because it operates over standard HTTPS traffic on port 443, making it virtually impossible to distinguish from regular web browsing.

Impact on Parents and Schools

When "Secure DNS" options are enabled in browsers, the consequences for content filtering are significant:

  • Content filtering policies become ineffective, as users bypass parental controls and organizational filters entirely.
  • Children are actively discovering and using these features to access unrestricted content.
  • Network administrators lose visibility into both benign and potentially malicious browsing activity.
  • Browser platforms have not prioritized parental or administrative management capabilities for these features.
What Can Be Done

CleanBrowsing provides a registry file for Windows users that disables Secure DNS across Firefox, Chrome, Brave, and Edge browsers. This is most effective when combined with non-Administrator user profiles, ensuring that users cannot simply re-enable the feature.

For other platforms, administrators should review browser settings on managed devices and disable the Secure DNS or DNS-over-HTTPS options. On networks where you control the router, blocking outbound traffic on port 853 can prevent DNS-over-TLS connections.

The key takeaway is that content filtering now requires attention not only at the network level but also at the browser and device level. As encrypted DNS becomes more prevalent, a layered approach to managing these settings is essential.

Protect Your Network Today

Start using CleanBrowsing's powerful DNS filtering to keep your users safe and your internet clean.

Filtering Guides

Practical tips and tutorials to help you get the most out of DNS filtering and safe browsing.

DNSArchive

Investigate domains with passive DNS, IP reputation, and web metadata.

Explore
Trunc SIEM

Forward your DNS logs to a secure, cloud-hosted SIEM in minutes.

Learn more
NOC Web Infrastructure

Secure and accelerate your websites with authoritative DNS, a global CDN, and intelligent WAF protection.

Visit NOC
Contact us!

Have a question? Reach out at support@cleanbrowsing.org