4.7 Ensure 'Controls the mode of DNS-over-HTTPS' is set to 'Enabled: DNS-over-HTTPS without insecure fallback'

Information

This controls the mode of the DNS-over-HTTPS resolver. Please note that this setting will only set the default mode for each query. The mode may be overridden for special types of queries, such as requests to resolve a DNS-over-HTTPS server hostname.

Disable DNS-over-HTTPS (off)

Enable DNS-over-HTTPS with insecure fallback (automatic) - Enable DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and may fallback to sending insecure queries on error.

Enable DNS-over-HTTPS without insecure fallback (secure) - Only send DNS-over-HTTPS queries and will fail to resolve on error.

The recommended state for this setting is: Enabled with a value of Enable DNS-over-HTTPS without insecure fallback (secure)

Note: When enabling this policy, it is recommended to also configure the DnsOverHttpsTemplates policy so that the URI templates are set. You can find out more information on the DnsOverHttpsTemplates enterprise policy site.

Rationale:

DNS over HTTPS (DOH) has a couple primary benefits:

Encrypting DNS name resolution traffic helps to hide your online activities, since DoH hides the name resolution requests from the ISP and from anyone listening on intermediary networks.

DoH also helps to prevent DNS spoofing and man-in-the-middle (MitM) attacks.

Impact:

Not all DNS providers support DOH, so choice is limited. Also, Enterprises sometimes monitor DNS requests to block access to malicious or inappropriate sites. DNS monitoring can also sometimes be used to detect malware attempting to 'phone home.' Because DoH encrypts name resolution requests, it can create a security monitoring blind spot.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Enable DNS-over-HTTPS without insecure fallback:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Controls the mode of DNS-over-HTTPS

Default Value:

Unset (Same as Enable DNS-over-HTTPS with insecure fallback (automatic). If any policy is set, either through being domain-joined or active policy with cloud management (or profile lists), then it sometimes reverts to Disable DNS-over-HTTPS and users can't change it.

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: ACCESS CONTROL, AWARENESS AND TRAINING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|AT-2, 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1)

Plugin: Windows

Control ID: 5613f6119e5f3b4410d9dd0b533dab3ba9a143c33780ba831170955e8725fd61