DNS over HTTPS (DoH)
- Gary Leicht
The DNS over HTTPS (DoH) protocol utilizes HTTPS and supports the wire format DNS response data, which is returned in existing UDP responses but in an HTTPS payload with the MIME type application/dns-message. DoH operates on the same TCP port as does other HTTP-S traffic: 443. Consequently, distinguishing DoH from other HTTP-S traffic becomes challenging.
When a DoH client connects to a DNS server that supports DoH over the standard TCP port 443, the client authenticates the server's certificate, establishes a mutually agreed-upon symmetrical encryption key (such as AES) for data encryption, and then proceeds with encrypted communication. This ensures data privacy and integrity. Optionally, DNS clients can authenticate DNS servers using the DoH protocol. In essence, DoH functions similarly to a web browser, except that it encodes DNS data within HTTPS sessions through GET and POST messages. For more information on the DoH protocol, refer to RFC 8484, published by the Internet Engineering Task Force (IETF).
All major browsers support, or will soon support, DoH. While DoH offers privacy benefits to users, it also allows the bypassing of an organization's security policies. Malware may evade detection by leveraging DoH to conceal its DNS traffic. Organizations aiming to enforce security policy through DNS may want to prevent the use of third-party DoH servers to circumvent these measures. To address this, Infoblox Threat Defence provides a threat intelligence feed called "Public-DoH" (public-doh.infoblox.local). This feed includes FQDNs of DoH servers as well as "DoH Canary" domains (e.g., http://use-application-dns.net), signalling compliant browsers not to use DoH within the current environment. Depending on the browser configuration, the browsers will revert to the organization's managed DNS gracefully, without disrupting user activity. The Infoblox DoH solution encompasses multiple tools described in Infoblox DNS over HTTPS (DoH) solution, ensuring comprehensive coverage for your organization's robust DoH network.
Infoblox DoH Feeds
Infoblox offers DoH service and provides DoH feeds to block open DoH infrastructure. For information, see Adding DoH Feeds to a Security Policy.
Infoblox Agentless Support for DoH
For Infoblox Threat Defense Business Cloud and Advanced entitlements, Infoblox supports DNS resolution over direct, encrypted DoH (DNS over HTTPS). This eliminates the need for deploying Infoblox Endpoint or defining public subnets (external networks), simplifying your network architecture. For more information about external networks, refer to Configuring External Networks.
To support a comprehensive and robust security posture, this feature enables integration with Secure Service Edge (SSE), web proxies, VPNs, and other security solutions. For information on using agentless support for DNS resolution over direct, encrypted DoH see Implementing Clients over DoH.
A Comparison of DNS over HTTPS (DoH) to Transport Layer Security (DoT)
To view a comparison of DoH to DoT, see A Comparison of DNS over HTTPS (DoH) to Transport Layer Security (DoT).