Beginning in version 63 of Firefox, Mozilla may enable DNS-over-HTTPS (DoH) by default for Firefox users. This will send DoH to CloudFlare, which may bypass your Umbrella settings. In order to preserve your Umbrella settings, follow the steps below.
Affected Firefox users will see the following banner when DoH is enabled by Firefox.
In recent versions, Chrome also makes DoH available as a manual configuration.
Defaulting to system DNS while using Umbrella
For the majority of Umbrella users, no action is required at this time. Firefox supports the use of a special domain, 'use-application-dns.net', to indicate the presence of a DNS filtering solution, such as Cisco Umbrella. If the Umbrella resolvers are being used by the client, then Firefox will not enable DoH by default.
However, if a user has manually configured DoH in Firefox, Firefox will respect that configuration and use the DoH server defined. In such a situation, you may need to follow the additional instructions below in order to prevent the use of DoH by users on your network.
Chrome does not currently enable DoH by default.
Additional Instructions to block DNS-over-HTTPS
To protect your Umbrella deployment, Umbrella has now included DoH providers into the Proxy/Anonymizer content category. When this category is blocked, the browser will fail to resolve the hostname of the DoH server, and revert to standard system DNS where Umbrella is covering your DNS. To ensure that your settings block DoH providers:
1. Navigate to Policies > Content Categories
2. Select your in use category setting.
3. Ensure that "Proxy/Anonymizer" is selected
Your users will now remain covered by Umbrella when Firefox rolls out this change to your users.
Firefox and Chrome may also be configured manually for a specific DoH provider. If this is configured by domain - it is enforceable by Umbrella. Configurations by IP will not be enforceable by Umbrella (DNS). For on network enforcement of DoH, firewall rules may be required.