DNS over HTTPS – What Schools Need to Know about Web Filtering with DoH

Recently, Mozilla announced its plans to implement the DNS-over-HTTPS (DoH) protocol by default in the Firefox browser starting in late September. Soon after, Google announced its intention to do the same for the Chrome browser. The implications for web filtering and schools could be big. Learn what DoH means for schools that need to filter traffic and protect students.

What is DoH:
DNS stands for Domain Name System; it’s the system for matching the domain name of a site (like www.something.com) to its IP addresses that makes it easy to browse the web and get to your favorite sites. Historically all of that has happened via an unencrypted DNS connection. As the name DNS over HTTPs implies, DoH takes DNS and shifts it to a secure, encrypted HTTPs connection.

Why DoH:
Mozilla and Google are making these changes to bring the security and privacy benefits of HTTPS to DNS traffic. All those warnings about the security risks of public WiFi? With DoH, you’re protected against other WiFi users seeing what websites you visit because your activity would be encrypted. DoH can also add protection against spoofing and pharming attacks and can prevent your network service providers from seeing your web activity.

What Does DoH Mean for Schools:
DoH prevents network services from seeing web traffic – but seeing web traffic is something schools rely on for web filtering and reporting. Much like Google’s move to encrypted search and other services years ago, while this can bring greater privacy and security to many users, it can also have big, negative implications for schools. Schools rely on the ability to see student traffic to provide essential services like filtering, monitoring, and reporting on school-owned devices.

When Does DoH Take Effect:
Firefox has already started to gradually shift to DOH. Chrome is expected to start shifting some traffic by the end of the year.

Does this Impact Your School?
If you rely on DNS filtering, you may be affected: without proper preparation or solutions, traffic won’t be able to be reliably blocked and your filtering may be ineffective. For our Lightspeed Systems customers, we have you covered.

Why Lightspeed Systems is DoH-Ready:
If you’re using Relay, you’ll be ready for DoH because our Smart Agents are installed on the device to provide the most granular, decrypted filtering; they don’t use DNS.
Our Relay Rocket (for BYOD and IoT traffic) uses DNS, but we’ve prepared our technology for DNS over HTTPS and the Relay Rocket will block the DoH domains so traffic is forced back to standard DNS where it can be seen, filtered, and reported.
Inline Rocket Web Filter customers will also be able to filter traffic across DoH.

What Other Web Filter Users Should Do:
If you’re not using Lightspeed Systems Relay or Rocket, make sure that you will be able to effectively filter all traffic even with these shifts to DoH.
• If you’re using a different DNS Filter, or a DNS feature of other cloud-based filters, reach out to your provider to discuss if you’ll be able to ensure ongoing filtering with DoH.
• If you’re using an inline filter, you will be able to effectively filter over DoH (but you may be missing out on other benefits a cloud solution can provide).
Switch to Relay 🙂 and get all the benefits of Smart Agents, including hassle-free SSL decryption,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>