Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a protocol that encrypts Domain Name System (DNS) queries using HTTPS, preventing third parties from viewing or manipulating domain lookups. By tunneling DNS traffic over standard HTTPS (port 443), DoH enhances privacy and security compared to traditional plaintext DNS.
Why DNS over HTTPS matters in cybersecurity
DNS is foundational to internet communication, but traditional DNS queries are unencrypted and vulnerable to interception, spoofing, and surveillance. Attackers can exploit this visibility for phishing redirection, data exfiltration, or traffic manipulation.
DoH mitigates these risks by encrypting DNS requests, making them indistinguishable from regular web traffic. However, this same feature can also create blind spots for security teams, as malicious traffic may bypass conventional DNS filtering controls.
DNS over HTTPS vs traditional DNS
| Feature | Traditional DNS | DoH |
|---|---|---|
| Encryption | None (plaintext) | Encrypted via HTTPS |
| Port | 53 | 443 |
| Privacy | Low | High |
| Visibility for IT teams | High | Reduced |
| Susceptibility to spoofing | High | Low |
| Performance impact | Minimal | Slight overhead possible |
Security implications of DoH
DoH introduces a dual-edged security impact. On one hand, it protects users from DNS-based attacks such as spoofing and man-in-the-middle interception. On the other, it can enable threat actors to conceal command-and-control (C2) communications within encrypted traffic.
Security teams must adapt by implementing endpoint-level visibility and policy enforcement rather than relying solely on network-based DNS inspection.
Hexnode’s approach to managing encrypted DNS traffic
Hexnode UEM enables organizations to maintain control and visibility even when DoH is in use. Through centralized policy enforcement, IT admins can:
- Restrict unauthorized DNS configurations on managed devices
- Enforce secure DNS providers aligned with enterprise policies
- Monitor endpoint behavior to detect anomalies beyond DNS-level visibility
- Integrate with broader security frameworks for layered threat detection
This endpoint-centric control ensures that privacy enhancements from DoH do not compromise enterprise security posture.
FAQs
What is DNS over HTTPS in simple terms?
DoH is a method of encrypting DNS queries so that outsiders cannot see which websites a user is trying to access.
Does DoH improve security?
Yes, it prevents eavesdropping and tampering with DNS queries. However, it requires additional endpoint controls to avoid reduced network visibility.
Can DoH be blocked or controlled?
Yes. Organizations can block or restrict DoH through endpoint management tools, firewall rules, or browser configurations.
Is DoH the same as a VPN?
No. DoH only encrypts DNS queries, while a VPN encrypts all internet traffic and masks the user’s IP address.
Why do attackers use DoH?
Attackers use DoH to hide malicious DNS traffic within encrypted HTTPS streams, making detection harder for traditional security tools.