[2022 Issue 10] Why browsers can be a security loophole?

zyxel_Lin Posts: 37
First Anniversary
 Freshman Member
edited April 15 in Security Highlight

Modern browsers and latest operating systems are using new encryption technologies – DNS over TLS (DoT) and DNS over HTTPS (DoH) – to combat against unauthorized DNS services. It can be a great tool for privacy protection, but it would also open up potential threats for your organizations and IT professionals. This article will show how DoH works and how Zyxel ATP firewall can help.

What is DoH?

To understand DoH, it is necessary to first understand how regular DNS works. Domain Name Server (DNS) is just like internet address book and translates each domain name into an IP address.

DNS over HTTPS (DoH) is a new protocol that encrypts domain name system traffic by passing DNS queries. The primary function is that the communication is encrypted helps to hide one’s online activities. For now, all major browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera supports DNS over HTTPS.

The way of a DNS query when DoH is enabled

DNS filtering solution is a crucial security layer for every cybersecurity vendor. DNS Threat Filter matches domain addresses with the always-up-to-date cloud reputation database and determines if an address is reputable or not. 

How DNS Threat Filter Works

However, if DNS over HTTPS queries from the clients happens, the communication is not visible. This allow employees and students to bypass network-level web filtering policies. Companies that rely on web traffic reports from DNS-based solutions also lose visibility into internal network traffic.

How Zyxel can help you to manage the clients' Internet activities

To provide precise visibility of internal network traffic, Zyxel is working to fully integrate the DNS over HTTPS (DoH) protocol with ATP series in a secure way that will help every organization to enhance cybersecurity. Once ATP firewall detects the DNS over HTTPS queries from the clients to known DoH servers, ATP will block these DNS queries to prevent users from bypassing internet restriction policies.

Benefits of DoH/DoT blocking and monitoring:

  • Prevents users from bypassing company’s web filter.
  • Retains visibility and security over all DNS traffic on your network.
  • Efficiently route DNS queries and keep overall network healthy.


  • Motivio
    Motivio Posts: 21
    Friend Collector First Anniversary
     Freshman Member
    Will we have this function on the current USG, too?
  • Zyxel_Liu
    Zyxel_Liu Posts: 2
    First Anniversary
     Zyxel Employee
    Motivio said:
    Will we have this function on the current USG, too?
    Hi Motivio
    Thanks for supporting Zyxel products.
    For now only ATP series supports this function. 
    USG FLEX series will support it by Q4, 2022
    Thank you.