Encrypted SNI death blow to transparent filtering

Posted October 3, 2018 by David Redekop to DNS Security

Encrypted SNI, announced by Cloudflare this past week, is a positive move towards privacy and security. It makes sure that along the path from your browser, all the way to the host you’re contacting, even the hostname such as dnsthingy.com isn’t visible.

However, the side effect of this natural progression of encryption, is that gateways which depend on SNI for Internet Filtering cannot do so any longer when Encrypted SNI is deployed. Transparent filtering, as it is called, is in use by Squid and many other SSL filtering gateways.

On the other hand, the good news is that DNS-based filtering remains as powerful as ever. In fact, DNS-based filtering has a significant advantage over proxy-based technology for these reasons:

  • Lower RAM and storage resources required on gateway such as pfSense (only a DNS query response vs packet inspection, caching of page contents, etc)
  • Faster end-user experience (for the time it takes for a DNS query the end-user knows if destination is blocked or allowed)
  • Better compatibility – no more worries about end-user applications’ proxy incompatibilities
  • Better IoT security control and connectivity

It is clear that DNS-based filtering is here to stay. Watch for news on how DNS over TLS and DNS over HTTPS have a future on-premise to provide the best of security and privacy, while also facilitating system administrators’ responsibility to provide security at the gateway.