DNS over HTTPS woman typing at laptop

DNS over HTTPS – What Schools Need to Know about Web Filtering with DoH

School web filtering evolves with DoH

Recently, Mozilla announced its plans to implement the DNS-over-HTTPS (DoH) protocol by default in the Firefox browser starting in late September. Soon after, Google announced its intention to do the same for the Chrome browser. The implications for web filtering and schools could be big. Learn what DoH means for schools that need to filter traffic and protect students.

What is DOH?

DoH stands for DNS Over HTTPS. DNS stands for Domain Name System; it’s the system for matching the domain name of a site (like www.something.com) to its IP addresses that makes it easy to browse the web and get to your favorite sites. Historically all of that has happened via an unencrypted DNS connection. As the name DNS over HTTPs implies, DoH takes DNS and shifts it to a secure, encrypted HTTPs connection.

Why DOH?

Mozilla and Google are making these changes to bring the security and privacy benefits of HTTPS to DNS traffic. All those warnings about the security risks of public WiFi? With DoH, you’re protected against other WiFi users seeing what websites you visit because your activity would be encrypted. DoH can also add protection against spoofing and pharming attacks and can prevent your network service providers from seeing your web activity.

What does DOH mean for schools?

DoH prevents network services from seeing web traffic – but seeing web traffic is something schools rely on for web filtering and reporting. Much like Google’s move to encrypted search and other services years ago, while this can bring greater privacy and security to many users, it can also have big, negative implications for schools. Schools rely on the ability to see student traffic to provide essential services like filtering, monitoring, and reporting on school-owned devices.

When does DOH take effect?

Firefox has already started to gradually shift to DOH. Chrome is expected to start shifting some traffic by the end of the year.

Does this impact your school?

If you rely on DNS for school web filtering, you may be affected: without proper preparation or solutions, traffic won’t be able to be reliably blocked and your filtering may be ineffective. For our Lightspeed Systems customers, we have you covered.

Is Lightspeed Systems is DoH ready?

If you’re using Lightspeed Filter™, you’ll be ready for DoH because our Smart Agents™ are installed on the device to provide the most granular, decrypted school web filtering; they don’t use DNS.
Our Lightspeed Rocket™ (for BYOD and IoT traffic) uses DNS, but we’ve prepared our technology for DNS over HTTPS and the Rocket will block the DoH domains so traffic is forced back to standard DNS where it can be seen, filtered, and reported.
Inline Rocket Web Filter customers will also be able to filter traffic across DoH.

What should users of other web filters do?

If you’re not using Lightspeed Systems solutions, make sure that you will be able to effectively filter all traffic even with these shifts to DoH.

  • If you’re using a different DNS Filter, or a DNS feature of other cloud-based filters for school web filtering, reach out to your provider to discuss if you’ll be able to ensure ongoing filtering with DoH.
  • If you’re using an inline filter, you will be able to effectively filter over DoH (but you may be missing out on other benefits a cloud solution can provide).