Can DNS over HTTPS settings be fixed to provide support for authentication via client certificates?

Was told to try posting this here… Originally posted it over all Firefox community support…

DoH is a big initiative for Mozilla right now and soon will be enabled by default in the US in the near future. While a great tool, I believe the companies can benefit as well. Most users have laptops. Laptops leave the confines of the office regularly. Why not have laptops configured so that they point to a companies DNS infrastructure when not in the office? The benefit would be that any filtering/monitoring being done via DNS no longer is limited to when devices are on the company network!

This would require companies exposing DNS to the internet which is considered a bad idea. DNS will expose internal secrets and let the bad guys probe the architecture of the network for information they can use later. Adding authentication to the DoH solution would allow companies to leverage their internal certificate infrastructure and already deployed client certificates to protect that DNS information.

TLS mutual auth via client certificates is part of the SSL/TLS protocol already in use by DoH and there is nothing in the RFC to prevent this from being a possibility.

Is this something that can be added to the roadmap (or is it already on the roadmap)?


1 Like