[2022 Issue 10] Why browsers can be a security loophole?
Modern browsers and latest operating systems are using new encryption technologies – DNS over TLS (DoT) and DNS over HTTPS (DoH) – to combat against unauthorized DNS services. It can be a great tool for privacy protection, but it would also open up potential threats for your organizations and IT professionals. This article will show how DoH works and how Zyxel ATP firewall can help.
What is DoH?
To understand DoH, it is necessary to first understand how regular DNS works. Domain Name Server (DNS) is just like internet address book and translates each domain name into an IP address.
DNS over HTTPS (DoH) is a new protocol that encrypts domain name system traffic by passing DNS queries. The primary function is that the communication is encrypted helps to hide one’s online activities. For now, all major browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera supports DNS over HTTPS.
DNS filtering solution is a crucial security layer for every cybersecurity vendor. DNS Threat Filter matches domain addresses with the always-up-to-date cloud reputation database and determines if an address is reputable or not.
How DNS Threat Filter Works
However, if DNS over HTTPS queries from the clients happens, the communication is not visible. This allow employees and students to bypass network-level web filtering policies. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic.
How Zyxel can help you to manage the clients' Internet activities
To provide precise visibility of internal network traffic, Zyxel is working to fully integrate the DNS over HTTPS (DoH) protocol with ATP series in a secure way that will help every organization to enhance cybersecurity. Once ATP firewall detects the DNS over HTTPS queries from the clients to known DoH servers, ATP will block these DNS queries to prevent users from bypassing internet restriction policies.
Benefits of DoH/DoT blocking and monitoring:
- Prevents users from bypassing company’s web filter.
- Retains visibility and security over all DNS traffic on your network.
- Efficiently route DNS queries and keep overall network healthy.
Will we have this function on the current USG, too?0
I do not see this function on the USG Flex 200 (firmware version 5.35). Will this still be added or is the support only for the ATP series?
Zyxel_Vic Posts: 269Hi @Vagabound
Thanks for your interesting. USG Flex series support DNS Threat Filter feature which is included in the Gold Security Packet. For more information regarding to what is included in the GSP license, please visit the link below:
Available today: USG FLEX series supports Gold Security Pack — Zyxel Community
In addition, you can purchase the GSP license from our Marketplace portal and activate it immediately.
Thanks for the feedback and their clarification.
Or for the ones that can get license here is the IP list for cloudflare and nextdns
USG 60 File Blocking in Firefox doesnt work — Zyxel Community
- 8.1K All Categories
- 1.6K Nebula
- 59 Nebula Ideas
- 54 Nebula Status and Incidents
- 4.3K Security
- 222 Security Ideas
- 936 Switch
- 42 Switch Ideas
- 818 WirelessLAN
- 19 WLAN Ideas
- 5K Consumer Product
- 136 Service & License
- 266 News and Release
- 90 Success Stories
- 52 Security Advisories
- 13 Education Center
- 536 FAQ
- 252 Nebula FAQ
- 132 Security FAQ
- 73 Switch FAQ
- 72 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 66 About Community
- 44 Security Highlight