The Infoblox DNS over HTTPS (DoH) Solution

Infoblox provides DNS over HTTPS (DoH) service as well as DoH feeds to block open DoH infrastructure. This comprehensive solution includes multiple tools to provide extensive coverage and a robust performance for your organization's network. For DoH, we use the IP addresses 103.80.6.200 and 52.119.41.200, ensuring there is no overlap with DoT on the wrong port.

Key features of the Infoblox DoH solution are:

• Policy threat intelligence feed for DoH: The policy threat intelligence feed for DoH provides the ability to control the DNS access method used to detect and mitigate threats. Namely, DoH helps organizations enforce their security policies by blocking known DoH servers and associated Firefox “canary” domains. This feed can be configured in Infoblox Portal.

• DoH Feed in Infoblox Portal: The portal provides a regularly updated data set to the Infoblox TIDE platform. The data set includes well-known DoH servers that can be used to block access in accordance with enterprise security policies. The Public_DoH and Public_DoH_IP feeds are available for all Infoblox Threat Defense subscriptions. 

• DoH Policy feed for known DoH domains and IPs: The feed adds a new data set of domains and IP addresses for known DoH providers to Infoblox TIDE. This policy feed allows customers to extract this data set when enabling blocking using existing security platforms, such as next-generation firewalls, and can also be used for threat investigation to detect DoH servers used in malicious activity.

• Dossier update of DoH domains/IPs: Using Dossier, users can determine whether a domain or an IP is associated with a public DoH service that could bypass on-premise DNS security. Due to allow-listing, not all domains in the RPZ are in TIDE and Dossier.