DNS-OVER-HTTPS

Close Visibility Gaps and Strengthen Network Defenses

DoH and Enterprise Network Visibility

DNS-over-HTTPS (DoH) is a protocol designed to enhance user privacy and security by encrypting DNS queries and routing them over HTTPS. This makes DNS traffic indistinguishable from regular web traffic thereby helping to protect users from certain types of surveillance and manipulation.

However, while DoH was developed with privacy in mind, especially for individual or home users, it presents challenges in enterprise environments. By encrypting DNS queries, DoH can bypass traditional DNS-based security controls such as content filtering, monitoring, and threat detection mechanisms. This can reduce visibility for network defenders and limit the ability to enforce corporate security policies effectively.

To support organizations that choose to restrict or manage the use of DoH within their networks, we offer a threat data feed that helps identify and block outbound DoH traffic. Using this feed, security teams can restore the control needed to maintain a secure and compliant environment.

Operational and Security Considerations of DOH

DoH shifts DNS resolution from the operating system to individual applications, bypassing traditional enterprise DNS configurations. This limits the effectiveness of centralized controls used for security, compliance, and troubleshooting.

Key challenges include:

DNS firewalls and filtering: Local policies can be bypassed, allowing access to restricted content.

Loss of visibility: DNS queries are no longer auditable, hindering detection, response, and forensic efforts.

Malware concealment: Threat actors and malware exploit encrypted DoH channels to evade detection.

Threat intelligence gaps: Domain-based blocking via IOCs may be circumvented.

Data jurisdiction: DNS queries may be resolved in regions with different legal and regulatory frameworks.

Troubleshooting complexity: Applications and OS may use different resolvers and complicate support.

Finally, DoH centralizes DNS traffic with a small number of providers who can see both IP addresses and queries which raises concerns around data control and neutrality.

Managing DoH Usage in Enterprise Environments

Organizations concerned about the operational impact of DNS-over-HTTPS have several options for managing its use. Depending on the risk profile and regulatory requirements, strategies may include restricting application-level DNS configuration, disabling DoH in supported browsers, or enforcing DNS settings via group policy.

For companies that require tighter DNS control, another approach is to enhance existing security infrastructure by supplying firewalls or intrusion detection systems (IDS) with an up-to-date list of known DoH resolvers. This allows network defenders to either block or monitor traffic to those servers which supports both preventive and threat hunting use cases without significant changes to the current environment.

To address this specific need, we offer our DoH server data feed. It’s designed for enterprises that must maintain visibility and control over DNS resolution paths to meet internal security policies, compliance requirements, or threat detection goals. This feed can be integrated with existing tools to help ensure DNS traffic remains aligned with your organization’s security architecture.