Recursive DNS communications are normally unencrypted between a client and a resolver. In an effort to improve user privacy and address security concerns, Mozilla announced it would begin enabling DNS over HTTPS (DoH) by default in its Firefox browser. However, Mozilla recognized it would be necessary in some cases for enterprises to be able to inspect DNS traffic to enforce security controls. Consequently, Firefox also supports a "Network Signal" that, when used, automatically disables DoH in the browser.
Enterprise Threat Protector (ETP) leverages this "Network Signal," which requires disabling the default DoH behavior in Firefox. This disabling behavior will apply automatically for ETP customers. However, if a user has explicitly configured Firefox to employ DoH, the ETP service will be bypassed.
For enterprises that may be concerned about this, there are a number of ways to address the situation:
- Use patch management software to prevent the installation and use of Firefox in the enterprise.
- Purchase Firefox for Enterprise, which enables administrators to centrally manage and disable access to DoH settings
- Consider using the beta ETP Secure Web Gateway (a free upgrade for ETP Advanced Threat customers), which will on-ramp all HTTP traffic to a web proxy where it will be protected, thus preventing a bypass.
If you have any questions about DoH and Enterprise Threat Protector, please contact your Akamai representative.