uOS v1.32 - DoH and DoT Blocking

Zyxel_Claudia
Zyxel_Claudia Posts: 164  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited May 7 in Other Topics

Zyxel's uOS v1.32 brings an essential security enhancement DNS over HTTPS (DoH) and DNS over TLS (DoT) blocking. This feature strengthens your ability to inspect and control DNS queries, ensuring that encrypted DNS traffic doesn't bypass your content filters and security policies.

What Are DoH and DoT?

  • DoH (DNS over HTTPS) encrypts DNS queries using HTTPS (TCP port 443).
  • DoT (DNS over TLS) secures DNS queries using TLS (typically UDP/TCP port 853).

While these protocols protect user privacy, they can undermine security filtering, as encrypted DNS traffic bypasses firewall DNS inspection and content filtering.

Why Block DoH and DoT?

Most firewalls rely on visibility into DNS queries to:

  • Enforce content filtering
  • Apply reputation-based filtering
  • Detect access to malicious domains

If DNS queries are encrypted using DoH or DoT, the firewall cannot inspect them — leaving your network exposed to undetected threats or policy violations.

How It Works in uOS v1.32

The DoH/DoT blocking mechanism in uOS operates at the application layer and uses signature-based detection to identify and block encrypted DNS queries.

Detection Scope:

  • DNS Query (UDP port 53) - checked against a known database of DoH server domains
  • DoH (UDP port 443) - checked with signature database, traffic allowed if not matched with DoH signature
  • DoT (TCP port 853) - blocked based on protocol and port usage

Example: If a user device sends a DNS query to cloudflare-dns.com (a known DoH server), the firewall detects and blocks it using signature inspection.

Feature Location & Configuration

You can enable this feature in the local GUI:

Security ServiceReputation FilterDNS Threat Filter

There you'll find: DNS over HTTPs/TLS detection

Summary

The introduction of DoH and DoT blocking in uOS v1.32 marks a major improvement in maintaining DNS transparency for security and compliance. By intelligently detecting encrypted DNS traffic, administrators can continue applying effective filtering without compromising user privacy for non-encrypted traffic.