DNS over HTTPS last resort? - roaming client
Hi all,
Just starting out with DNS Filter, and I had an issue where the roaming client was showing it being offline, this wasn't too surprising as the local firewall was no setup to allow DNS (53) outbound to internet.
In the logs I could see that the roaming client was attempting to run queries using DNS over TLS (853), which was also blocked.
With both of these failing I could see why the client was offline, but was visible in the online portal and had reporting (443 / 80 outbound were not limited).
In this scenario, why does the client not attempt to use DNS over HTTPs? This would allow the roaming client to function and not ‘fail open’? I understand why it's not the preferred method, it's not as fast etc, but if port 53 / 853 are not working why not resort to DNS over HTTPS to function?
-
Hi there, Saqib Sabir ! Thanks for taking the time to share your experience: great observation and troubleshooting on your part.
You're absolutely right that DNS over HTTPS (DoH) fallback could provide another layer of resilience when traditional DNS (port 53) and DNS over TLS (port 853) are blocked. This exact functionality—DoH support, particularly in scenarios like the one you described—is currently a feature request under consideration by our product team.
If you haven’t already, I’d recommend upvoting and following this Canny post: DNS over HTTPS support for routers. While the title mentions routers, the underlying request aligns closely with your use case. Following the post will also ensure you're notified of any updates or progress on this front.
Appreciate your thoughtful feedback—it helps shape the future of DNSFilter!
0 -
Thanks Minetta Gould, I've upvoted the post on Canny and added that I would like to see DoH functionality in the Roaming client.
I'm surprised the request is still in planning phase, it's seems like a no brainer, using 443 outbound for DNS would be difficult to block without deep packet inspection (SSL decryption), so it's ideal for circumventing local DNS restrictions, the kind of environments that roaming clients will be in, which is why the browsers like Chrome / Firefox etc have all built the functionality directly into their products.
-3 -
Saqib Sabir Totally hear you—DoH makes a lot of sense for exactly the reasons you laid out (Chrome and Firefox knew what they were doing!).
It’s on our roadmap for Q3, so it’s not forgotten, just waiting its turn in a very competitive feature lineup. Thanks for upvoting and commenting on Canny; you’ll be the first to know when it starts moving!
0
Please sign in to leave a comment.
Comments
3 comments