Recently, I had the opportunity to listen to an educator who has turned every knob to prevent inappropriate content from reaching his students. I let him know that there were some changes about to occur on the Internet with the ability to filter out websites of concern and how only certain measures would work, and also that this was, of course, driven by economics.
If the rollout is successful, this change will likely catch many by surprise. This post is written to assist those tasked with determining options to maintain policies or those who may step in to assist their local schools.
As he reviewed the existing security controls, it was reassuring to confirm that the measures they had chosen would remain effective. The browser’s built-in endpoint protections — Chrome, in this case — were actively in use. Since Encrypted Client Hello (ECH) secures the session between the browser and the Content Delivery Network (CDN), browser-managed controls will continue to function as expected.
These options include the use of SafeBrowsing to filter out known harmful content. SafeBrowsing is a service run by Google that has been integrated into every major browser and is a well-regarded solution. Although this measure is a good one, he (the educator) knows those behind inappropriate content target children and find ways to slip through controls. With this in mind, he is interested in having additional protections in place. We’ll explore the other options that will continue to work for broader awareness.
A while back he had considered a tool that is positioned in the middle of connections, between the browser and web server (or CDN). This type of solution may be referred to as a web proxy with content filtering services or as a ‘middlebox’ as it intercepts traffic intended for another endpoint. With ECH being deployed when enabled, these tools will have diminished value when the content originates from a CDN.
To have visibility of the true destination web server instead of the CDN, ECH must be disabled in the browser. In managed environments, this can be done through browser control settings. Disabling ECH prevents the CDN from negotiating its use, allowing middle-box inspection points to maintain the required visibility. Without ECH, the destination server hostname remains exposed, as the Server Name Indicator (SNI) value is not encrypted.
What is ECH?
Encrypted Client Hello (ECH) is a new and somewhat controversial update to the Transport Layer Security (TLS) protocol, designed to enhance user privacy. As CDNs like Cloudflare roll out ECH more widely, certain network controls for filtering inappropriate content may become less effective.
ECH changes who can see the destination of encrypted web traffic. Traditionally, the SNI in the TLS handshake revealed the destination web server’s hostname. With ECH, this information is encrypted and replaced with the CDN’s hostname, meaning intermediaries — such as network security tools — can no longer inspect it.
For end users, this change does not create additional privacy risks because CDNs already have visibility into client connections. However, it does prevent organizations, parental controls, and network security appliances from identifying and filtering specific websites based on SNI data.
As shown in the example above, for networks that require visibility for security or policy enforcement, ECH can be disabled in browser settings or through enterprise browser management tools. We will cover how to do this for organizations with policies that allow such management.
CDNs can host any content and may not impose restrictions on what they support. In some cases, they do this to uphold free speech principles or avoid involvement in content censorship. By enabling ECH, CDNs shift the point where content screening can occur.
With ECH enabled, filtering and control mechanisms move to the browser, limiting options for content restriction. Traditional allow or deny lists become less effective, leaving safe browsing features and DNS filtering services as the primary tools for managing access to inappropriate content.
Due to these changes, organizations and schools will need to understand their options for enforcing acceptable use policies on Internet content. While filtering is a form of censorship, it must be balanced against the ongoing threat of cyberattacks such as ransomware and phishing, which often target resource-limited organizations.
These attacks can exploit browser or host vulnerabilities, insecure authentication methods, or malicious downloads from compromised servers. Until endpoints become fully secure and authentication methods are phishing-resistant, content filtering services play a crucial role in preventing these threats and protecting users.
Organizations with acceptable use policies may also filter content deemed inappropriate for their users. While this is a form of censorship, the intent matters. Filtering to block illicit content is generally seen as necessary, whereas broader censorship — such as restricting access to news, health-related information, or other fundamental resources — raises ethical concerns.
This is a complex and sensitive issue. However, in some cases, content filtering is the only viable option to ensure access remains within cultural and ethical norms. For example, in schools, filtering may be required to protect children, and in workplaces, it helps maintain a safe and professional environment aligned with organizational policies.
Web content filtering options
The DNS translates a website name (hostname) to an Internet Protocol (IP) address. When this translation occurs, there are domain nameservers that offer screening services to prevent access to known harmful sites, which could include malicious content or inappropriate content. Since this content can appear on brand-new sites, it is also possible for these services to only allow a translation of a hostname to an IP address for sites that have been vetted. This vetting creates an allow list of sites to access.
The two methods that can be used going forward to restrict access when ECH is enabled include:
1. Browser-based controls, such as the use of block lists provided through SafeBrowsing.
2. A DNS service that provides a second point of control to screen out inappropriate or malicious sites.
The DNS-based filtering option can be configured at the host level by setting the DNS servers for the organization in the Dynamic Host Configuration Protocol (DHCP) settings and / or within the browser if a DNS over HTTPS (DoH) server provides this filtering option. If you are using a DNS over TLS or a traditional DNS server for this option, be sure that the browser is not overriding this setting with the use of a DoH server.
Free options that filter known malicious content (but not inappropriate based on policies):
- Quad9 offers a free DNS filtering service to protect against access to malicious sites.
- For K-12 schools as part of an offering for state, local, tribal, and territorial (SLTT) organizations, the US government subsidizes a service provided as a free offering through the Center for Internet Security called Malicious Domain Name Blocking and Reporting (MDBR).
- Avast offers a free DNS over HTTPS (DoH) service to screen malicious content as well.
For schools and other organizations interested in screening out inappropriate content, additional services may be necessary. These services allow for policy-based decisions that determine what types of content are not suitable for the intended audience. There are multiple options available, offered over traditional DNS, DNS over TLS (DoT), and DNS configured directly from the browser using DoH.
Several examples in alphabetical order include:
- Akamai Protective DNS (PDNS)
- Cisco Umbrella DNS
- CleanBrowsing DNS Filtering Service
- CloudFlare Gateway (offers DNS filtering and other options beyond the scope of this recommendation)
- DNSFilter
- Scaler DNS Security
- WebTitan
For families, the following free DNS filtering service is available:
Please check any service level agreements and privacy policies to ensure offerings meet your requirements. DNS services offered through your service provider likely come with contracted service levels and security policy requirements that may not be possible to attain with a free service offering. For any recursive resolver used, DNS spoofing is a potential concern and another reason to be diligent in the vetting of the DNS services used. Additionally, if your school or organization has a bring-your-own-device (BYOD) policy in place, mobile device management (MDM) or browser management coupled with filtering solutions at the gateway may be used to ensure the use of the approved DNS services. If browsers are not managed, but hosts join the network, offering a DNS server through the DHCP configuration settings may help if DoH is not enabled through their browser.
The solutions listed are limited to traditional DNS, as there are currently no available methods for filtering alternative DNS technologies such as blockchain DNS. Alternative naming systems like blockchain DNS are specifically designed to resist censorship, which can include both government-imposed content filtering and controls to prevent access to inappropriate material.
At present, accessing alternative DNS services typically requires a browser plugin to resolve these names to their associated hosting IP addresses. Organizations that screen content should verify settings for alternative DNS services to ensure alignment with their policies. Each system serves a purpose, and this discussion focuses on controlled domains operating under policies tailored to their user base. For example, in schools, students and parents often agree to behavioural expectations, including anti-bullying and electronic use policies, where content filtering tools can be beneficial. By accepting these policies, users acknowledge the restrictions deemed appropriate for their specific environment.
Please vet any service offering before implementation as this post does not provide an endorsement of any of the mentioned options. Additional options for DNS filtering services may exist that are worth reviewing.
Kathleen Moriarty is the Founder of SecurityBiaS, a Technology Strategist, CTO, Board Member, Keynote Speaker, Author, CISO, and former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy. Kathleen was CTO at the Center for Internet Security when writing this post.
Adapted from the original at the RSA conference blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.