DNS-over-HTTPS: Privacy Improvement or Security Blind Spot

What DNS-over-HTTPS Does

DNS-over-HTTPS (DoH) encrypts DNS queries inside HTTPS connections, preventing network operators, ISPs, and eavesdroppers from seeing which domains you are resolving. This is a significant privacy improvement for individual users, especially on public networks where DNS queries can be trivially intercepted and logged.

The Enterprise Security Concern

DoH creates a challenge for enterprise security teams. Traditional DNS monitoring is a valuable security tool - analyzing DNS queries reveals malware communicating with command-and-control servers, data exfiltration through DNS tunneling, and connections to known malicious domains. When DNS queries are encrypted and sent to external DoH providers, enterprise security tools lose visibility into this critical data source.

Balancing Privacy and Visibility

The solution is not to block DoH entirely but to deploy it in a way that preserves security visibility. Run your own internal DoH resolver that encrypts queries from the endpoint to your resolver (protecting against local eavesdropping) while still allowing your security tools to analyze the queries. Configure endpoint browsers and operating systems to use your internal DoH resolver rather than external providers.

Practical Recommendations

For enterprise environments, use Group Policy or MDM to configure DoH settings and point endpoints to your internal resolver. Block direct DoH connections to external providers like Cloudflare and Google at the firewall. For personal devices and small organizations without an internal resolver, using a reputable external DoH provider is a net security improvement over unencrypted DNS. True Protection supports DoH with configurable resolver settings that maintain privacy without sacrificing security visibility.