uOS v1.32 - DoH and DoT Blocking
Zyxel Employee
Zyxel's uOS v1.32 brings an essential security enhancement DNS over HTTPS (DoH) and DNS over TLS (DoT) blocking. This feature strengthens your ability to inspect and control DNS queries, ensuring that encrypted DNS traffic doesn't bypass your content filters and security policies.
What Are DoH and DoT?
- DoH (DNS over HTTPS) encrypts DNS queries using HTTPS (TCP port 443).
- DoT (DNS over TLS) secures DNS queries using TLS (typically UDP/TCP port 853).
While these protocols protect user privacy, they can undermine security filtering, as encrypted DNS traffic bypasses firewall DNS inspection and content filtering.
Why Block DoH and DoT?
Most firewalls rely on visibility into DNS queries to:
- Enforce content filtering
- Apply reputation-based filtering
- Detect access to malicious domains
If DNS queries are encrypted using DoH or DoT, the firewall cannot inspect them — leaving your network exposed to undetected threats or policy violations.
How It Works in uOS v1.32
The DoH/DoT blocking mechanism in uOS operates at the application layer and uses signature-based detection to identify and block encrypted DNS queries.
Detection Scope:
- DNS Query (UDP port 53) - checked against a known database of DoH server domains
- DoH (UDP port 443) - checked with signature database, traffic allowed if not matched with DoH signature
- DoT (TCP port 853) - blocked based on protocol and port usage
Example: If a user device sends a DNS query to cloudflare-dns.com (a known DoH server), the firewall detects and blocks it using signature inspection.
Feature Location & Configuration
You can enable this feature in the local GUI:
Security Service → Reputation Filter → DNS Threat Filter
There you'll find: DNS over HTTPs/TLS detection
Summary
The introduction of DoH and DoT blocking in uOS v1.32 marks a major improvement in maintaining DNS transparency for security and compliance. By intelligently detecting encrypted DNS traffic, administrators can continue applying effective filtering without compromising user privacy for non-encrypted traffic.
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 165 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight