Originally Posted by xJumper
So will the DNS requests go through the VPN provider or through Googles DNS over HTTPS provider built into the browser? Chicken or the egg?
Maybe if your VPN was running at the kernel level like wireguard it would "dns out" before it hit Googles forced DNS over HTTPS in the browser.
It will go out over the VPN though the DNS over HTTPs.
The DNS request is made as an HTTPs call over port 443. If your port 443 traffic is routed over your VPN then it will traverse the VPN.
As far as the network is concerned the traffic is indistinguishable from any other traffic on port 443.
The type of VPN implemented is irrelevant.
There is only two ways around it:
1) Client side you can disable this behavior assuming there is a way to do so. You can also have plugins on the client system that make this possible if the software does not already do so.
2) Network side you can force install client certificates that break encryption for https so that you can then preform packet inspection and then filter out the DNS requests and manipulate them. This will have the effect of breaking all https traffic on the internet within your network. Some traffic will function but clients will be informed at the browser side that all of their "encrypted" traffic is moving across the local network "unencrypted". Thus users should avoid using any banking sites or anything else that needs to be secure on said network.
Due to the demise of effective packet inspection and said packet inspections impact it's use going forward is going to be much more limited. Companies are going to need to invest more in endpoint protection rather than edge point protection in order to ensure a secure network. This also creates new risks for BYOD businesses as well as they need to ensure an effective endpoint solution for them.
This is not to say that firewalls are not going to be needed on the network edge or in other places on the network but that they are going to need to be complemented with additional endpoint security as well.