When a user visits your website, the first interaction is between their device and your DNS server, asking, “Where is this website, and what is the address” But that question and answer are normally sent unencrypted, which creates opportunities for anyone (your ISP, someone on the same public Wi-Fi network, a bad actor) to see what website the user is trying to visit and potentially tamper with that request.
Enter DNS over HTTPS (DoH), a modern solution that encrypts DNS queries using Transport Layer Security (TLS). DoH is a significant step towards bolstering cybersecurity, encrypting data, and protecting user privacy, offering a shield against various forms of digital interception and monitoring. By enabling DNS queries to be encrypted and sent via HTTPS, DoH protects web traffic, making it a game-changer for individuals and organizations alike. Of course, as with any shift in technologies, the transition from traditional DNS to the DoH protocol presents challenges in maintaining system visibility and enforcing network policies.
Understanding DNS and Its Limitations
Traditional DNS has served the internet for decades, and while it makes navigation easy for users, it also has limitations. DNS queries are typically sent in plain text, which leaves them vulnerable to eavesdropping or manipulation by attackers. Without encryption, DNS traffic can be observed by third parties or exploited through cyberattacks such as man-in-the-middle (MITM) or DNS spoofing. When malicious actors are successful in manipulating DNS traffic, it poses a direct risk to user privacy and security.
The Rise of DNS over HTTPS (DoH)
DoH is transforming how the internet handles DNS queries. Instead of sending queries in plain text, DoH routes DNS queries through the same encrypted HTTPS protocol used for secure web browsing. As a result, DNS traffic becomes much harder to intercept or tamper with, improving privacy for users. Many popular modern browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari, offer DoH support to give users more secure, private DNS connections.
However, while DoH enhances privacy, it also introduces new challenges for network administrators. Because DNS queries are encrypted, visibility into DNS traffic can decrease, which makes it harder for teams to monitor for threats or enforce network policies, especially if users are using external DoH resolvers.
Finding the right balance between privacy and security visibility is critical. Organizations should adopt a strategy for deploying DoH that protects user privacy while still giving security teams the DNS telemetry and policy control they need.
How Does DNS over HTTPS Work?
DoH encrypts DNS queries between the client and the DNS resolver. These are the requests sent by a device to resolve human-readable domain names, for example, translating www.example.com into an IP address. In a traditional DNS setup, these queries are transmitted in plaintext over UDP or TCP, making them visible to any party intercepting the traffic. Instead, DoH encapsulates DNS queries within HTTPS (over port 443) using TLS encryption. This secures the communication between the device and the resolver, protecting it from eavesdropping or manipulation.
Encrypting DNS Queries
Encrypting DNS queries is the core function of DoH. By using TLS encryption, DoH encapsulates DNS messages within an HTTPS session, which means only the intended DNS resolver can decrypt and process the query. As a result, third parties cannot easily observe or interfere with DNS traffic.
While this adds a crucial layer of privacy and integrity to DNS, it also complicates monitoring and policy enforcement for network administrators. Encrypted DNS traffic makes it harder to detect malicious domains, enforce acceptable use policies, or monitor for command-and-control (C2) traffic. This means that while DoH enhances user privacy, it presents a tradeoff between user security and enterprise visibility.
Integration with Existing Web Infrastructure
As with any other major change in protocols, integrating DoH with existing web infrastructure requires careful planning. Modern browsers allow users to enable DoH in browser settings, making it easy for individuals to adopt encrypted DNS, and many public DNS resolvers also support DoH. However, the story changes in an enterprise setting.
Enterprise organizations may need to adjust resolver configurations and network policies to manage DoH traffic effectively and ensure that DNS resolution remains compliant with security policies, especially in environments requiring DNS monitoring, logging, or filtering. Offering an internal or custom DoH resolver is often recommended to meet both privacy goals and organizational requirements
Differences between DoH and DNS over TLS
Both DoH and DNS over TLS (DoT) encrypt DNS queries. However, they differ in transport mechanisms and operational behavior. DoH uses HTTPS over port 443, allowing DNS traffic to blend with regular web traffic. In direct contrast, DoT operates on a dedicated port (853), which can simplify network management but also makes it easier to identify and potentially block DoT traffic.
There are also stark differences in deployment. While DoH is increasingly integrated into modern browsers for a user-friendly option DoT is often implemented at the operating system or network level.
There’s no right or wrong choice between DoH and DoT. Both protocols aim to ensure secure DNS resolution, and ultimately, deploying one over the other should depend on an organization’s specific privacy requirements, regulatory environment, and network visibility needs.
Challenges of DoH Implementation
Every new protocol introduces challenges that must be balanced in the ongoing push and pull between security and user privacy; DoH is no exception. While DoH has a multitude of privacy enhancements, it also complicates visibility, policy enforcement, and compatibility with traditional DNS infrastructure. Organizations need to weigh these tradeoffs carefully when considering DoH deployment.
Network blocking issues
Since DNS queries are encrypted with DoH, network administrators may find it harder to block specific domains using traditional network-based controls. Normally, admins would inspect DNS queries in transit and block access to malicious or unauthorized domains. But when users send encrypted DNS queries to external DoH resolvers, that traffic becomes invisible to the network, making it difficult to enforce content filtering policies or block known bad domains.
To maintain control, organizations often deploy internal DoH resolvers or use DNS services like a private DNS data lake, which provide both encryption and visibility.
Compatibility and implementation challenges
Integrating DoH into existing environments is not without challenges. Legacy network monitoring and security tools may be unable to inspect encrypted DNS traffic, requiring updates or new solutions to maintain visibility. Additionally, many network appliances, firewalls, and older software stacks may require configuration changes to properly handle or route DoH traffic.
Organizations also need to ensure that DoH traffic is directed to trusted internal resolvers or approved public DNS services rather than allowing unmanaged DoH connections from browsers to external resolvers, which can bypass security policies and filtering.
Potential impacts on network performance
While DoH aims to improve privacy, it might impact network performance. Encrypting DNS queries increases the payload size. This might slow down the communication with DNS resolvers and recursive resolvers, potentially leading to higher latency when loading web pages. Network congestion could also rise, especially if multiple DNS servers or the primary query endpoint becomes overloaded.
Adoption and Future of DoH
DoH is rapidly reshaping how we think about internet privacy. By encrypting DNS queries between users and resolvers, DoH prevents third parties, whether legitimate entities like ISPs and public Wi-Fi operators or overtly malicious actors, from easily monitoring or manipulating DNS traffic. Still, its implementation creates new challenges for network and security teams. As adoption rates continue to increase, organizations must implement compensating controls to ensure they maintain visibility and preserve a strong network security posture.
Current adoption rates and trends
Adoption of DoH has been steadily increasing as browsers and public DNS providers continue to enable encryption by default. A study by APNIC labs reports that approximately 13.7 % of global DNS traffic now uses DoH, with usage continuing to grow. That said, adoption is not yet universal. Some ISPs and enterprise environments are slow to adapt, whether due to technical, regulatory, or policy concerns.
Ongoing developments in DNS privacy
The conversation about digital privacy continues to evolve rapidly. Today, DoH and DoT are becoming more weirdly deploying, protecting users from interception and manipulation. In parallel, standards groups are advancing new protocols such as:
- Oblivious DoH (ODoH): Further separates client identity from DNS traffic.
- Encrypted ClientHello (ECH): Prevents hostname leakage during TLS handshake.
- Discovery of Designated Resolvers (DDR): Helps clients securely upgrade to encrypted DNS.
At the same time, organizations are adopting custom resolvers and private DNS services to maintain both privacy and security visibility. This allows enterprises to leverage encrypted DNS while still meeting compliance, monitoring, and policy needs. As these technologies mature, it’s likely that encrypted DNS will become the default expectation for both users and networks, delivering stronger privacy protections while evolving to meet enterprise requirements.
Ready to Strengthen Your DNS Defenses?
As protocols like DoH become the default, it’s more important than ever to balance privacy with security visibility.Without the right tools, encrypted DNS can create gaps in monitoring, putting your network at risk.
With UltraDNS, you can enjoy the visibility and control necessary to balance user privacy and network security. As an added benefit, the UltraDNS Private Data Lake delivers advanced telemetry for threat hunting, compliance, and incident response.
Ready to strengthen your defenses against DNS-based threats? Contact us today to learn more and schedule a demo.