Schools Broadband Web Filtering and the Industry’s Move to DNS-over-HTTPS

Google and Mozilla (Firefox browser) are planning to implement DNS-over-HTTPS. This is causing concern to organisations who filter illegal internet content such as child sexual abuse imagery.

The Internet Services Providers Association (ISPAUK) has claimed that Mozilla plans to support DNS-over-HTTPS “in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”

This is not the case however for Schools Broadband customers using our hosted Netsweeper filtering service. Netsweeper’s DNS solution operates as a DNS server, and includes support for DNS-over HTTPS communication with client applications. This means that the filtering policy can be applied even when using this new DNS standard that ensures enhanced security and privacy.

Our ability to receive and respond to DNS requests will remain unaffected, so long as the filtered device is not using a browser (or other application) that disregards Operating System DNS settings in favour of other DNS services. Netsweeper is confident that DNS-over-HTTPS will not disrupt its filtering.

The Detail

The DNS-over-HTTPS protocol works by sending requests via an encrypted HTTPS connection, rather than the classic plaintext UDP requests in standard DNS. Not only is the request encrypted, but the DoH protocol also works at the app level rather than the OS level. These connections occur between a browser/app and a secure DoH-compatible DNS server.

This new protocol is a dream for privacy advocates. It’s a nightmare for governments, ISPs, and makers of network security solutions.

How Does DoH Affect Netsweeper?

DNS-over-HTTPS affects how a web browser translates a domain name into an IP address. It’s a necessary part of today’s internet. HTTP/HTTPS web traffic will still flow the same as it would without DNS-over-HTTPS. They are two different types of communication a web browser uses to access websites.

Proxy-based web filtering makes up most deployments. Web filtering for proxy-based education deployments looks at the HTTP/HTTPS web traffic. It does not look at the DNS traffic. This means that DNS-over-HTTPS does not affect filtering. There are considerations for operator/service providers using Netsweeper’s DNS-based filtering solution, but Netsweeper’s DNS filtering solution also handles DNS-over-HTTPS.

If you have any concerns regarding your school’s filtering, please contact 01133 222 333 or email: info@schoolsbroadband.co.uk