Cybersecurity

DNS-over-HTTPS: Why Your Internet Now Whispers Instead of Yelling (and Why That’s a Problem for IT)

teodulfo.espero

June 24, 2025

Photo by Praswin Prakashan on Unsplash

Why DNS-over-HTTPS (DoH)? — The Primer

Before we get deep into why DoH makes IT admins sweat, let’s start with why it exists in the first place.

Traditional DNS Is a Massive Privacy Leak

Every time you visit a website, your device asks a DNS server:

“Hey, what’s the IP for gimmecatsinbowties.com?”

And that query goes out completely unencrypted [¹]. Anyone on the network can see it, log it, or manipulate it.
It’s like asking for directions in a loud bar full of eavesdroppers.

Encryption Should Include DNS

We’ve secured websites with HTTPS. Emails are encrypted. Messaging apps are private.
But DNS? It’s still stuck in the ’90s like someone with a flip phone and no shame.

DoH fixes that by wrapping your DNS queries inside HTTPS, making them private, encrypted, and less susceptible to manipulation [¹][⁴].

It Protects You on Public Networks

On public Wi-Fi (airports, hotels, “Definitely-Not-A-Honeypot_Cafe”), attackers can:

  • Redirect you to fake sites
  • Censor content
  • Log your DNS requests

DoH makes that harder by encrypting those queries [⁵].

It Prevents Tampering and Hijacking

DNS hijacking is real — ISPs, malware, and governments have all been caught messing with DNS responses [⁵][⁸].
DoH makes that harder, if not impossible, for them to pull off.

Privacy Should Be the Default

DoH uses HTTPS (port 443), requires no separate software, and is supported in most browsers by default [²][³].
It’s privacy without pain — unless you’re in IT, then… well, keep reading.

Let’s Talk About DNS – AKA the Internet’s Gossip Queen

You type in www.letmeprocrastinate.com. Your browser shouts across the network:

“HEY! What’s the IP address for this site?”

DNS shouts back — in the clear. Everyone hears it. Including attackers.

Enter: DNS-over-HTTPS (DoH), the Secret Whisper Network

DoH encrypts DNS requests over HTTPS, like hiding your web history inside a locked envelope — only your browser and your chosen resolver can read it [¹].

Why Should You Care?

Because DNS traffic reveals:

  • Where you go online
  • When you go there
  • What shady links you clicked

DoH encrypts that data. Good for privacy. Problematic for IT.

The Enterprise Freakout

It Bypasses DNS Filtering

Security stacks rely on DNS filtering (Umbrella, Pi-hole, etc.).
DoH bypasses them by sending encrypted traffic directly to third-party resolvers [⁵][⁷].

It Breaks Logging and Monitoring

DNS logs are used for malware detection, behavior analysis, and forensics.
DoH cuts off that visibility [⁷][⁸].

It Enables Shadow IT

Malware can use DoH to hide command-and-control traffic [⁸].
It blends in with normal HTTPS traffic, making it hard to detect without deep packet inspection.

So… Should You Mitigate It?

If you’re…Should you block or control DoH?
A home user who doesn’t want your ISP snoopingEmbrace it
A school or company with DNS-based policiesBlock or control it
A malware authorYou’re already using it, don’t lie
An IT admin trying to surviveYes, absolutely

How to Mitigate DNS-over-HTTPS Without Rage Quitting

1. Block Known DoH Endpoints

Block traffic to well-known DoH providers:

  • Cloudflare (1.1.1.1)
  • Google DNS (8.8.8.8)
  • Mozilla TRRs

Public lists of DoH endpoints are maintained [⁶].

2. Deploy Internal DoH Resolvers

Tools like CoreDNS, NextDNS, or AdGuard Home can give you privacy + control [⁷].

3. Use GPO or MDM to Control DoH on Browsers

Configure Group Policy or registry to:

  • Disable DoH in Chrome/Firefox
  • Push internal DNS
  • Enforce corporate policy [⁴]

4. Force DNS via Internal Forwarders

Block all outbound DNS/DoH not going through your resolvers. Use DHCP to enforce internal DNS.
Use DPI tools (Suricata, Zeek) for monitoring.

How to Use DoH on Windows Clients

On Windows 10/11/Server 2022 (as a client):

Step 1: Set DoH-compatible DNS servers

powershellCopyEditSet-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses ("1.1.1.1","1.0.0.1")

Step 2: Register DoH templates

powershellCopyEditSet-DnsClientDohServerAddress -ServerAddress "1.1.1.1","1.0.0.1" `
  -DohTemplate "https://cloudflare-dns.com/dns-query" `
  -AllowFallbackToUdp $True

Step 3: Confirm

powershellCopyEditGet-DnsClientDohServerAddress

Visit https://1.1.1.1/help to confirm.

Note: Windows Server 2022 can use DoH as a client, but cannot serve or forward DoH natively [⁴].

TL;DR

  • DNS-over-HTTPS encrypts DNS queries to protect privacy.
  • It’s great for end-users, a nightmare for enterprise IT.
  • Enterprises can block, manage, or replace it — but must do so smartly.
  • Windows clients can use DoH now — with the right configuration.

All of this came up because… we got a new server.
We stood up Windows Server 2022 thinking, “Nice, shiny, stable.” But suddenly we were deep in the weeds of encrypted DNS, invisible traffic, and a whole new way our users could bypass policies we didn’t even know were being bypassed. DNS-over-HTTPS wasn’t on the spec sheet — but it sure showed up anyway. Welcome to modern networking.

Sources and Further Reading

  1. RFC 8484 – DNS Queries over HTTPS
  2. Mozilla: DNS-over-HTTPS FAQ
  3. Google Chrome and DNS-over-HTTPS
  4. Microsoft: DNS-over-HTTPS in Windows
  5. Cloudflare: What is DoH?
  6. GitHub: List of Public DoH Servers
  7. NextDNS for Enterprises
  8. ZDNet: Malware using DoH to hide

Tags: