Encrypt DNS queries with DoT and DoH

By default, DNS queries from the Internet are not encrypted and are available in plaintext as they travel from a client to a DNS resolver. DNS over TLS (DoT) and DNS over HTTPS (DoH) are protocols that allow you to encrypt these queries. DoT secures this information with Transport Layer Security (TLS) encryption by adding privacy and preventing threat actors from spoofing traffic or hijacking DNS from the local network. DoH encrypts DNS requests and responses with the HTTP protocols. With this method, DNS traffic is disguised as standard HTTP traffic, allowing you to hide DNS from attackers or a third party. Like DoT, DoH prevents threat actors from intercepting or altering DNS traffic.

While SIA offers DoT encryption with ETP Client and Security Connector as a DNS forwarder, SIA allows you to encrypt DNS traffic with DoT or DoH without relying on a separate product or service. You use these protocols to secure DNS traffic from a client (browser) as it’s directed to SIA DNS servers.

To apply DoT or DoH, you’ll need the SIA domains for DoT or DoH. These domains are available in the Connection Info widget on the Threat Overview dashboard. You can also add this widget to any custom dashboard.

In addition to configuring an individual browser or operating system, you can use your device management solution to enable DoH or DoT on browsers and devices across your organization. To view the DoT or DoH domains, see View DoT or DoH domains.

📘
If the DoH URI template contains the device ID, this ID can be used in SIA reports for the attribution of a potentially compromised device. Since this ID is provided in the URI template by administrators, there is no guarantee of non-repudiation.

Firewall configuration

To use DoT or DoH, make sure your firewall allows traffic for these hostnames, ports, and protocol.

DNS Encryption Method	Hostname	Port	Protocol
DoT	<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID.	853	TCP
DoH	<config_ID>.doh.akaetp.net where <config_ID> is the configuration ID.	443	TCP

Supported browsers and operating systems

Browser support

These browsers are supported:

DNS Encryption Method	Browser	Configuration Instructions
DoH	Google Chrome	Configure DoH on Google Chrome
DoH	Mozilla Firefox	Configure DoH on Mozilla Firefox
DoH	Microsoft Edge	Configure DoH on Microsoft Edge

You can use your Windows Group Policy (GPO) or your device management software to update these settings.

Operating system support

These operating systems are supported:

DNS Encryption Method	Operating System	Instructions
DoT, DoH	macOS iOS	Configure DoT or DoH on macOS or iOS
DoH	Android	Configure DoH on Android

📘
Currently, Windows 10 and 11 do not support DoT and you cannot configure DoH with a domain. To use DoH on Windows, make sure you configure DoH in the browser.

View DoT or DoH domains

Complete this procedure to view the DoT or DoH domains. You can find this information on the Connection Info page and in the Connection Info dashboard widget.

To view DoT or DoH domains:

In the Threat Protection navigation menu, select Clients & Connectors > Connection Info.
On the Connection Info page, take note of the DoT and DoH domains.

The DoT or DoH domains are also available in the Connection Info dashboard widget. While you can add this widget to a dashboard, it’s available by default on the Threat Overview dashboard.

Configure DoH in a browser

On Google Chrome

Before you begin:

Make sure you have the SIA DoH domain. To view this domain, see View DoT or DoH domains.
Make sure your firewall allows traffic on DoH port 443 and the TCP protocol.

Complete this procedure to enable DoH in a Google Chrome browser.

To configure DoH on Google Chrome:

Open the Google Chrome browser.
Go to the Security settings. Do one of these steps:
- In the address bar, enter chrome://settings/security/.
- In the Chrome menu, select Settings. Click Security and Privacy and then click Security.
In the Advanced section, enable Use Secure DNS.
Select With and in the drop-down list for the service provider, select Custom.
Enter the SIA DoH URI template in this format:

https://<DoH_domain>/dns-query/<id>{?dns}

where:
- <DoH_domain> is the SIA DoH domain.
- <id> is the unique identifier associated with the user’s device. This identifier is optional to include.

On Mozilla Firefox

Before you begin:

Make sure you have the SIA DoH domain. To view this domain, see View DoT or DoH domains.
Make sure your firewall allows traffic on DoH port 443 and the TCP protocol.

You can configure DoH in the Firefox network settings or in the advanced preferences.

To configure DoH on Firefox:

Open Firefox.
To configure DoH in the network settings:
1. In the Firefox menu, select Settings.
2. Navigate to the Network Settings section and click Settings.
3. Select Enable DNS over HTTPS and in the User Provider menu, select Custom.
4. In the Custom field, enter the SIA DoH URI template in this format:
  
  https://<DoH_domain>/dns-query/<id>
  
  where:
  - <DoH_domain> is the SIA DoH domain.
  - <id> is the unique identifier associated with the user’s device. This identifier is optional to include.
5. Click OK.
To configure DoH with the advanced preferences:
1. In the Firefox address bar, enter about:config to access the Advanced Preferences. A warning appears about modifying these preferences. Click Accept Risk and Continue.
2. In the search field, enter network.trr.custom_uri, and click the edit icon for this preference.
3. Enter the SIA DoH URL template in this format and click the check mark icon:
  
  https://<DoH_domain>/dns-query/<id>
  
  where:
  - <DoH_domain> is the SIA DoH domain.
  - <id> is the unique identifier associated with the user’s device. This identifier is optional to include.
4. In the search field for the advanced preferences, enter network.trr.uri, and click the edit icon for this preference. Repeat step 3c.
5. In the search field for the advanced preferences, enter network.trr.useGET and set this setting to True. If this setting is not toggled to True, click the toggle icon.

On Microsoft Edge

Before you begin:

Make sure you have the SIA DoH domain. To view this domain, see View DoT or DoH domains.
Make sure your firewall allows traffic on DoH port 443 and the TCP protocol.

Complete this procedure to enable DoH on Microsoft Edge.

To configure DoH on Edge:

Open the Edge browser.
In the browser menu, select Settings.
From the Settings menu, select Privacy, search and services.
Under Security, enable Use secure DNS to specify how to lookup the network address for websites.
Select Choose a service provider.
In the field for the custom provider, enter this URL:

https://<DoH_domain>/dns-query/<id>{?dns}

where:
- <DoH_domain> is the SIA DoH domain.
- <id> is the unique identifier associated with the user’s device. This identifier is optional to include.

Configure DoT or DoH on an operating system

Depending on the device operating system, complete the applicable procedure.

📘
Windows 10 and 11 currently do not allow users to provide a domain for DoH.

Configure DoT or DoH on macOS or iOS

To configure DoT or DoH, you need to create a configuration profile. You can use a profile configuration application to create a profile where you provide the DoH or DoT domains.

After generating a profile, an end user can download it. You can also use your device management solution to distribute the profile to Apple devices across your organization.

Configure DoH on Android

Before you begin:

Make sure you have the SIA DoH domain. To view this domain, see View DoT or DoH domains.
Make sure your firewall allows traffic on DoH port 443 and the TCP protocol.

Complete this procedure to configure DoH on an Android device.

To configure DoH on an Android device:

From the Settings menu, tap Network & internet > Advanced > Private DNS.
Tap Private DNS Provider Hostname and enter the SIA DoH domain.
Tap Save.

Disable DoH

If you enabled DoH with the SIA domain and you want to disable it, complete these steps.

You must disable DoH in the operating system or browser where it’s enabled. You cannot disable this feature from SIA policy.

📘
Use your enterprise system management solution to deploy browser settings to computers across your organization.

On Google Chrome

To disable DoH on Chrome:

Do one of the following:

Disable DoH on a single instance of Chrome.
1. Open the Google Chrome browser.
2. Go to the Security settings. Complete these steps:
  1. In the Chrome menu, select Settings. Click Security and Privacy and then click Security. You can also enter chrome://settings/security/ in the address bar to go to these settings.
  2. In the Advanced section, disable Use Secure DNS.
You can use the DnsOverHttpsMode group policy or the Google Admin Console to disable DoH. For more information, see the Google Chrome Enterprise documentation.

On Mozilla Firefox

To disable DoH on Firefox:

Do one of the following:

Disable DoH with the network settings:
1. In the Firefox menu, select Settings.
2. Navigate to the Network Settings section and click Settings.
3. Disable Enable DNS over HTTPS.
Disable DoH with the advanced preferences:
1. In the Firefox address bar, enter about:config to access the Advanced Preferences. A warning appears about modifying these preferences. Click Accept Risk and Continue.
2. In the search field, enter network.trr.mode, and click the edit icon for this preference.
3. Enter 5 to disable DoH, and click the check mark icon to save the setting.

On Microsoft Edge

To disable DoH on Edge:

Open Edge.
In the browser menu, select Settings.
From the Settings menu, select Privacy, Search, and Services.
Under Security, disable Use secure DNS to specify how to lookup the network address for websites.

On Android OS

To disable DoH:

From the Settings menu, tap Network & internet > Advanced > Private DNS.
Tap Off for Private DNS.

Validate DNS responses with DNSSEC

DNSSEC is enabled by default across SIA. DNS responses are validated from authoritative DNS servers where DNSSEC is configured. When DNSSEC (described in RFCs 4033 , 4034 , and 4035) is configured, crypotgraphic authentication occurs and the integrity of DNS records are verified, protecting your organization from DNS spoofing and DNS cache poisoning.