Unlike traditional DNS queries, which are sent to servers via a plain text connection, DNS-over-HTTPS (DoH) requests are sent over an encrypted HTTPS connection. It was introduced mainly because of the privacy benefits that come with the data encryption.
However, since many parental control systems depend on inspecting the unencrypted DNS requests, DOH brings real risk of breaking your parental controls. This is a big concern. In fact, Mozilla was once nominated for the Internet Villain Award for supporting DOH.
In an effort to keep existing parental controls functional in the brave new world of DOH, Mozilla implemented several opt-out mechanisms to bypass DOH for networks with DNS content filtering.
Is your parental control system still functional with DOH turned on? How effective are Mozilla’s mitigation techniques at keeping your parental control functional?
Nothing is better than trying it out for yourself.
I’m using OpenDNS as an example. If you have a different setup, use the following steps as a starting point.
What’s your DNS server? Open your browser and enter http://whoismydns.com/.
Since my network was configured to use OpenDNS, the page reported OpenDNS as expected.
DNS over HTTPS (DOH) is supported by a growing number browsers and operating systems. For example, the Chrome browser also supports DOH. So does Android 9 and above, iOS 14 and macOS 11, etc. Windows 10 will have it soon if it’s not already there.
DOH’s sister protocol, DNS-over-TLS (DoT, which achieves the same effects as DOH), is also supported on these platforms.
The following picture shows how to turn on DoT on an Android phone.
You may need to adjust the test steps above accordingly if you are not using Firefox and OpenDNS. The DNS server test may still be meaningful even if your parental control does not use a specific DNS service for content filtering.
There are other test scenarios you may want to consider:
As of version v2.1, you’ll need to check the boxes “Block proxy, VPN, TOR” and “Enforce Access Control” on the profile in order to prevent parental control bypassing with DOH or DoT. With these options turned on, any device using DOH or DoT will be blocked Internet access. Thus forcing the users to turn off DOH/DoT.
In a future update we’ll handle this scenario more gracefully. I.e., instead of totally blocking the Internet, we’ll allow Internet while keeping parental control intact.
Parental controls may be broken when DOH or DoT is turned on. You may follow the steps above to test your system. OpenDNS has some builtin defense against DOH/DoT, but it’s easily defeated by entering an IP address for the DOH server instead of using the domain name.