Re: DNS over HTTPS changes

["LaPorte, David" <david_laporte () HARVARD EDU>]

I haven’t seen much mention of the impact of DoH on captive portal-based user on-boarding, which we rely on to 
bootstrap users to our EAP-TLS wireless network.  I would expect DoH to break that, any reason to believe otherwise?

Dave

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Kevin Wilcox 
<wilcoxkm () APPSTATE EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wednesday, September 25, 2019 at 11:35
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] DNS over HTTPS changes


On Wed, 25 Sep 2019 at 08:32, Barros, Jacob <jkbarros () grace edu<mailto:jkbarros () grace edu>> wrote:

Specifically, for institutionally managed devices are you disabling DNS over HTTPS in your browsers?  For non-managed 
devices, is there intent to block DNS over HTTPs or TLS and if so what would your reasons be for doing so?

Aye we'll disable it via browser config for managed/University-owned devices with plans to blacklist any known DoH 
servers via DNS and DNS over TLS servers by IP for University "business" networks.

For students and "guests", we wouldn't dare - we are their ISP, we stay very hands-off with them.

Has anyone published information for students on how this might impact them?  I know Cisco has published workarounds if 
there is an issue with Umbrella/OpenDns.  Are there other services that you're concerned about?

My biggest concern with students is sending all of their DNS searches to companies with a vested interest in monetising 
their data, but the illusion of privacy and industry-introduced security theatre is often more persuasive than the 
reality and it's their choice to make.

kmw

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFaQ&c=WO-RGvefibhHBZq3fL85hQ&r=MOrPzn96ki798xbUwXJc6Hbb8ZwV-Df1GCkE26WPyzg&m=dp6v2idxnegFfhYPSi7ktRNvQFkVlj12csB8mDc4_Vk&s=W60a7hDlMPjeRYlZcF-ZVucZZ-lUTKU3VhtLRVl3MLo&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community