Friend or Foe in the Business Environment?


DNS-over-HTTPS, or DoH, is a relatively new protocol that was developed with the goal of providing increased privacy and security. To achieve this, DNS queries are encrypted and sent to a DoH-enabled server which makes them indistinct from web traffic.

While rooted in a positive quest for Internet privacy, DOH has been controversial since its beginning. The debate around it boils down to the fact that its seems to have been primarily designed with the individual or home user in mind — or at the very least, the impact it would have on network security in a business setting was underestimated.


Before DoH, DNS servers were configured at the operating system level. With DoH, servers are configured at the application level, bypassing the operating system’s settings. As a result, many of the policies and tools used by tech support, system administrators and enterprise security teams to control and audit DNS-level activities are made ineffective.

For example, DNS firewalls and auditing are easy and popular ways to protect endpoints, apply parental controls and detect compromised systems. DoH bypasses the existing security infrastructure and policies, including hardware, software (firewalls, IDS, etc.), training, and resource management. Enterprises have invested A LOT of time and money in all of these.

As a result, organizations are likely to encounter myriad technical, policy, and regulatory issues with the use of DoH:

  • DNS Firewalls become ineffective; users can bypasses local policies and, for example, access social media or other prohibited resources
  • DNS traffic cannot be audited
  • Access control lists based on threat intelligence data feeds can be circumvented
  • Split DNS scenarios are no longer possible
  • Private/internal DNS names may be leaked
  • Regulations like GDPR are impacted as DoH servers may be operated in a jurisdiction other than that of its users
  • Incident response and threat hunting become far more complex
  • Tech support troubleshooting changes significantly as now applications and the operating system use distinct DNS resolvers
  • Network operators won’t be able to perform DNS blocking and filtering to handle take down notices or comply with court orders
  • CDNs that rely on DNS to direct traffic to cache nodes are no longer able to use the same technique
  • New cyber threats that take advantage of the lack of visibility. Godlua malware has already been found exploiting DoH. The malware uses the protocol’s encryption to freely establish communication with the command and control (C&C) server.

One final point to consider is this: DoH service providers know IP addresses and DNS queries. And it is unclear how they can use this data. As there is only a small group of DoH providers these days, this concentrates the control over DNS responses in only a few companies. As such, it poses a threat to Net Neutrality.


There are some options to help control the use of DoH in the business environment. For example, preventing applications from configuring DoH servers and blocking the use of browsers that have DoH enabled are workarounds.

Another way is to supply your firewall and/or IDS with an up-to-date feed of active DoH servers to prevent access to them altogether. This protects the investment already made in security mechanisms, policies and procedures – and requires the least amount of change to the current environment.

Malware Patrol created the DoH data feed to help our customers prevent/monitor DoH access, ensuring their carefully configured and security-compliant environments remain under their control.

Feed Details



Three (3) versions available:

– FQDN of the DoH server

– IPv4 address(es) and geo-location information

– IPv6 address(es) and geo-location information



– MikroTik

– FortiGate

– FortiSIEM




– Free evaluation

– Hourly updates

– Unlimited downloads

– Full-use commercial license


DOH Resources

We compiled the following articles about DNS-over-HTTPS from a variety of sources. Because it is a topic that often generates debate, we encourage you to learn more about it and figure out how it will impact your company and/or customers. Our team has ongoing research in this subject area and would be interested in any feedback or questions you may have. Contact us.

DoH Origins

DNS Queries over HTTPS (DoH)
Internet Engineering Task Force (IETF) Request for Comments (RFC): 8484
October 2018

This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.

DNS over HTTPS (DoH) Considerations for Operator Networks
Internet Engineering Task Force (IETF) Internet-Draft
September 9, 2019

The introduction of DNS over HTTPS (DoH), defined in RFC8484, presents a number of challenges to network operators. These are described in this document.

Ongoing Discussion Regarding DoH
Internet Engineering Task Force (IETF)