Is there an ability specify to exclusions for DNS-over-HTTPs requests?

%3CLINGO-SUB%20id%3D%22lingo-sub-2699280%22%20slang%3D%22en-US%22%3EIs%20there%20an%20ability%20specify%20to%20exclusions%20for%20DNS-over-HTTPs%20requests%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2699280%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESetup%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EEdge%20current%20branch%3C%2FP%3E%3CP%3EDNS%20over%20HTTPs%20is%20set%20up%20and%20working%20prooved%20by%20Edge%20Logging%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22kwesterebbinghaus_1-1630340426956.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F306705i559C7A2E4226E38F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22kwesterebbinghaus_1-1630340426956.png%22%20alt%3D%22kwesterebbinghaus_1-1630340426956.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EProblem%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Ewe%20have%20a%20webpage%20that%20is%20available%20from%20Public%20DNS%20but%20when%20opened%20from%20internal%20network%20it%20needs%20to%20resolve%20with%20internal%20AD%20DNS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExamples%20%2F%20Usecases%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Escenario%201%3A%3C%2FP%3E%3CP%3EUser%20opens%20Edge%3C%2FP%3E%3CP%3Eopens%20portal.contoso.com%20from%20external%20network%3C%2FP%3E%3CP%3EPortal.contoso.com%20resolves%20to%20the%20public%20DNS%20entry%20of%20contoso.com%20via%20DNS%20over%20HTTPS%20using%20Cloudflare%20or%20any%20other%20provider%20specified.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eexpected%20behaviour%3A%20as%20above%20(by%20design)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Escenario%202%3A%3C%2FP%3E%3CP%3EUser%20opens%20Edge%3C%2FP%3E%3CP%3Eopens%20portal.contoso.com%20from%20%3CSTRONG%3Einternal%20%3C%2FSTRONG%3Enetwork%3C%2FP%3E%3CP%3EPortal.contoso.com%20resolves%20to%20the%20public%20DNS%20entry%20of%20contoso.com%20via%20DNS%20over%20HTTPS%20using%20Cloudflare%20or%20any%20other%20provider%20specified.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eexpected%20behaviour%3A%20as%20above%20(by%20design)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Erequired%20behaviour%3A%3C%2FP%3E%3CP%3Eportal.contoso.com%20should%20resolve%20over%20local%20DNS%20(AD%20DNS)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EFeature%20Request%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20need%20a%20GPO%20control%20to%20specify%20that%20portal.contoso.com%20should%20first%20resolve%20to%20local%20DNS%20(AD%20DNS).%3C%2FP%3E%3CP%3EMeans%20a%20list%20object%2C%20json%20or%20csv%20in%20ADMX.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfaik%20there%20is%20no%20ability%20to%20do%20so.%20Other%20products%20like%20Firefox%20is%20reportingly%20able%20to%20specify%20exclusions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20other%20ideas%20how%20to%20solve%20this%2C%20or%20is%20this%20a%20FR%20that%20is%20already%20in%20milestone%20or%20backlog%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2699280%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ems-Edge%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2700150%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20an%20ability%20specify%20to%20exclusions%20for%20DNS-over-HTTPs%20requests%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2700150%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F534494%22%20target%3D%22_blank%22%3E%40kwester-ebbinghaus%3C%2FA%3E%26nbsp%3BHello!%26nbsp%3B%20There%20are%20a%20couple%20of%20policies%20for%26nbsp%3BDNS-over-HTTPS.%26nbsp%3B%20Would%20these%20be%20able%20to%20help%20your%20scenario%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CP%20class%3D%22heading-anchor%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23dnsoverhttpsmode%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDnsOverHttpsMode%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20id%3D%22supported-versions-202%22%20class%3D%22heading-anchor%22%3E%3CP%20class%3D%22heading-anchor%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23dnsoverhttpstemplates%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDnsOverHttpsTemplates%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThanks!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 

Setup:

Edge current branch

DNS over HTTPs is set up and working prooved by Edge Logging

kwesterebbinghaus_1-1630340426956.png

 

 

 

Problem:

we have a webpage that is available from Public DNS but when opened from internal network it needs to resolve with internal AD DNS.

 

 

Examples / Usecases:

scenario 1:

User opens Edge

opens portal.contoso.com from external network

Portal.contoso.com resolves to the public DNS entry of contoso.com via DNS over HTTPS using Cloudflare or any other provider specified.

 

expected behaviour: as above (by design)

 

scenario 2:

User opens Edge

opens portal.contoso.com from internal network

Portal.contoso.com resolves to the public DNS entry of contoso.com via DNS over HTTPS using Cloudflare or any other provider specified.

 

expected behaviour: as above (by design)

 

required behaviour:

portal.contoso.com should resolve over local DNS (AD DNS)

 

Feature Request:

We need a GPO control to specify that portal.contoso.com should first resolve to local DNS (AD DNS).

Means a list object, json or csv in ADMX.

 

Afaik there is no ability to do so. Other products like Firefox is reportingly able to specify exclusions.

 

 

Are there other ideas how to solve this, or is this a FR that is already in milestone or backlog?

 

 

2 Replies

@kwester-ebbinghaus Hello!  There are a couple of policies for DNS-over-HTTPS.  Would these be able to help your scenario?  

 

Thanks! 

 

-Kelly

Hello @Kelly_Y we are actively using these ADMX as stated but so far it seems not to be possible to exclude certain addresses.
That's why I asked if this is something I missed in the docs or if we can please have these as a feature request.

The current workaround is to disable this feature for the usecase.
What do you think?