[2024 April Tips & Tricks] How Can Your Content Filter Fail to Work?

zyxel_Lin Posts: 73  Zyxel Employee
First Anniversary Friend Collector
edited April 23 in Security Highlight

How Can Your Content Filter Fail to Work?

Content filtering is used to safeguard businesses from undesirable online content. It provides several benefits, and as a result, most IT professionals deploy this service within their network infrastructure for the following purposes:

Blocking access to undesirable web content: Employ precise blocking and filtering using services like Zyxel’s Web Filtering, which evolves with a cloud database to shield against harmful content.

Safeguard against malicious & phishing websites: Protect your network from web-based threats such as phishing, malware, exploit kits, and command and control by preventing access to known malicious websites.

Policy-based control: Implement policy-based controls for granular blocking and filtering. This is crucial as there are numerous malicious websites capable of infecting systems with viruses or spyware. Zyxel Web Filtering offers a comprehensive solution by integrating security subscription services to defend against malicious attacks from rogue websites and enabling administrators to manage user access effectively.

However,DNS over HTTPS (DoH) is a new protocol that encrypts domain name system traffic bypassing DNS queries. The primary function is that the communication is encrypted helps to hide one’s online activities.

Modern operating systems and browsers often enable DNS over HTTPS (DoH) or DNS over TLS (DoT) by default. For instance, in Windows 11, it defaults to preferring encrypted connections while still allowing unencrypted ones. You can view a list of encrypted DNS servers by opening the command prompt and using the command 'netsh dns show encryption:

How do you deal with this contradiction? Most of the time, you will have to enforce the corporate security and control policy. That means you need a solution to work around DoH/DoT while keeping your Content Filter functioning properly. With the USG FLEX/ATP firewall, you can simply block the use of DoH/DoT and gain the following benefits:

  • Preventing users from bypassing the company’s web filter.
  • Retaining visibility and security over all DNS traffic on your network.
  • Efficiently routing DNS queries and maintaining overall network health.

In the SCR 50AXE, there isn't an option to directly block DoH/DoT. However, you can ensure that wireless or wired clients point to the DNS server configured on the SCR 50AXE. This prevents them from using external DoH servers on Windows OS.

To do this, navigate to the Nebula Control Center and edit the LAN interface settings of the SCR 50AXE. Set the DNS server configuration to 'This Router'.