Skip to main content
  • EN

AD_4nXd1aiCDLGZOgaS4D1NP0HMjUxaAaMdUkFPA-5erKPcf93Zf10WQp3GcvoTHwOJBeTPAtHuGpSnwOQJVVxo7XwCcNW1N09gj9tugMmNcybXpPLTCn14t0fvZEM74yjlFb_TNrwSL0A?key=kAA6njB6OrcZZol2mqA6NWLu

Netskope Global Technical Success (GTS)

Block DNS traffic over TLS using Netskope

 

Netskope Cloud Version - 122

 

Objective

Create a policy to block DNS traffic over TLS using Netskope.

 

Prerequisite

A valid CFW and NG-SWG license.

 

Context

Blocking DNS over TLS ensures all DNS traffic is routed through company servers, enhancing visibility and control. It prevents policy evasion and reduces security risks from encrypted malicious domains.

 

Configuration

DNS over HTTPS (DoH) and DNS over TLS (DoT) are not supported protocols for Netskope steering (CASB, NG-SWG, NPA, CFW) and can be exploited by malicious actors. Therefore, Netskope strongly recommends configuring a policy to steer and block this traffic.

This document focuses on the steps to configure policies for blocking DoT. For best practices on handling DoH, please refer to https://docs.netskope.com/en/best-practices-for-utility-policies/

 

The first step is to create the DNS over TLS application from the Cloud Firewall settings. This application can later be used in real-time policies. Go to Settings > Security Cloud Platform > App Definition > Cloud & Firewall Apps and create a new application following the steps described in this document: https://docs.netskope.com/en/creating-a-firewall-app-definition-449298/

The application must be defined with port 853 TCP/UDP.


 

AD_4nXdfg3Q80y3AFKXrOO4epQPHK-HAdegS3ydY3Q7bJu5lkPxaT7Z_POKmMX9iM8WE7Hm95Soeq7bxEvW_KlAhT9XQ7y5TPcfRzpetRYDsJ8SGQkNl1iN-ArSt7_IOQaehWwM46Wuo?key=kAA6njB6OrcZZol2mqA6NWLu

This application must be used in a Real-Time policy configured to block traffic.

AD_4nXeo35PxwtNNmEF6QxyRaXy5EbUOLqU1xcgOChIoSq2fa-Idjx50XerOE7hr7qhgB8vP9xhfAikJlCSkxOeEDRvH2N4GMC8VDWcg6FZ6xs-ipC3YCadMUiuR5POvumTfeWHM8VzW?key=kAA6njB6OrcZZol2mqA6NWLu

 

For best practices, please place this policy at the top of your real-time policy set, alongside the DNS over HTTPS policy and Threat Protection policies. Typically, and as a best practice, the first policy should be DoH, so DoT can be placed in the second position.

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

Be the first to reply!

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settingsAccessibility statement