Beginning in version 63 of Firefox, Mozilla may enable DNS-over-HTTPS (DoH) by default for Firefox users. This will send DoH to CloudFlare, which may bypass your Umbrella settings. In order to preserve your Umbrella settings, follow the steps below.
Affected Firefox users will see the following banner when DoH is enabled by Firefox.
In recent versions, Chrome also makes DoH available as a manual configuration. Chrome DoH will only activate when the system DNS servers present on a system explicitly support DoH. Therefore, roaming client users or networks with local DNS servers will not see Chrome DoH enabled.
Defaulting to system DNS while using Umbrella
For the majority of Umbrella users, no action is required at this time. Firefox supports the use of a special domain,
use-application-dns.net, to indicate the presence of a DNS filtering solution, such as Cisco Umbrella. If the Umbrella resolvers are being used by the client, then Firefox will not enable DoH by default.
However, if a user has manually configured DoH in Firefox, Firefox will respect that configuration and use the DoH server defined. In such a situation, you may need to follow the additional instructions below in order to prevent the use of DoH by users on your network.
According to the release of Chrome 83: "Chrome will automatically switch to DNS-over-HTTPS if your current DNS provider supports it".
Additional Instructions to block DNS-over-HTTPS
To protect your Umbrella deployment, Umbrella has now included DoH providers into the Proxy/Anonymizer content category. When this category is blocked, the browser will fail to resolve the hostname of the DoH server, and revert to standard system DNS where Umbrella is covering your DNS. To ensure that your settings block DoH providers:
1. Navigate to Policies > Content Categories
2. Select your in use category setting.
3. Ensure that "Proxy/Anonymizer" is selected
Your users will now remain covered by Umbrella when Firefox rolls out this change to your users.
Note: Do not add the Mozilla Kill Switch domains to the block list. This is because if the domains are blocked, we return an A-record for our block pages. Firefox will consider this a valid response and will therefore auto-upgrade its DoH.
Firefox may also be configured manually for a specific DoH provider. If this is configured by domain - it is enforceable by Umbrella. Configurations by IP will not be enforceable by Umbrella (DNS). For on network enforcement of DoH, firewall rules may be required. For reference, see Preventing Circumvention of Cisco Umbrella with Firewall Rules.