Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Encrypted client hello

Chris3
Here to help
‎Oct 8 2023 3:49 PM
‎Oct 8 2023 3:49 PM

Encrypted client hello

Hi 

I saw an update in browsers about websites using encrypted client hello for dns.

apparently protects dns better from isp etc.

 

Does this make any changes to how Meraki devices work? Filtering etc?

0 Kudos
Subscribe
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 8 2023 3:55 PM
‎Oct 8 2023 3:55 PM

This probably won't change anything since the MX doesn't do SSL inspection.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 9 2023 12:24 PM
‎Oct 9 2023 12:24 PM

If you are referring to DNS over HTTPS, it will:

  • Break firewall rules that use FQDN
  • Reduce the ability to monitor connections

Personally, I block this traffic, and if the network supports policies (such as Intune, Active Directory), I disable it via policy.

0 Kudos
Subscribe
Chris3
Here to help
‎Oct 12 2023 10:48 PM
‎Oct 12 2023 10:48 PM

Thanks guys for the knowledge. I’ll look to adjust. 🙂

0 Kudos
Subscribe
AlexP
Meraki Employee
Meraki Employee
‎Oct 13 2023 2:11 PM
‎Oct 13 2023 2:11 PM

To be explicit here, yes, ECH will pose a problem for some features on MX. Explicitly, Content Filtering relies on being able to see the domain the client is attempting to communicate with, which is contained in the Server Name Information (SNI) field of a TLS header during the initial handshake.

 

This works just fine for TLS 1.2, and TLS1.3 when ECH is NOT in use, but any extensions to TLS1.3 that obfuscate this information will prevent it from functioning.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.