Preventing DNS filtering bypass by Encrypted DNS (DoT, DoH, DoQ)

Encrypted DNS protocols like DoH and DoT enhance privacy but hinder network defenders' visibility and control. Traditionally, this leads to blocking encrypted DNS, sacrificing its security benefits. A new approach, the local Zero Trust Resolver, offers a gateway-level solution that preserves encrypted DNS while maintaining policy enforcement without modifying endpoints. This involves a default-deny policy where only traffic resolved by the assigned gateway resolver is allowed. Standard DNS over HTTPS (Do53) queries can be hijacked to enforce policy, providing policy-based answers even when attempting to bypass. However, encrypted DoT and DoH are not hijackable; instead, the DNS queries themselves are blocked at the gateway. This blocking isn't based on a blocklist but rather on the fact that the IP address was not resolved by an authorized DNS query. If a DoH URL is allowed, the resolution occurs "blindly" to the network controller. Nevertheless, the IP address obtained through such a resolution is considered a stranger by the Zero Trust gateway. Consequently, connecting directly to that IP address is blocked because it was not part of an allowed outbound rule. This default-deny approach, enabled by the Zero Trust Resolver, can be implemented at scale. The goal is to have endpoints use encrypted DNS to internal protective resolvers, ensuring security and control within the network perimeter.