Document toolboxDocument toolbox

DNS over HTTPS (DoH)

Owned by Gary Leicht
Last updated: Sept 06, 2024
2 min read

The DNS over HTTPS (DoH) protocol utilizes HTTPS and supports the wire format DNS response data, which is returned in existing UDP responses but in an HTTPS payload with the MIME type application/dns-message. DoH operates on the same TCP port as other HTTP-S traffic, namely 443. Consequently, distinguishing DoH from other HTTP-S traffic becomes challenging.

When a DoH client connects to a DNS server that supports DoH over the standard TCP port 443, the client authenticates the server's certificate, establishes a mutually agreed-upon symmetrical encryption key (such as AES) for data encryption, and then proceeds with encrypted communication. This ensures data privacy and integrity. Optionally, DNS clients can authenticate DNS servers using the DoH protocol. In essence, DoH functions similarly to a web browser, except that it encodes DNS data within HTTPS sessions through GET and POST messages. For more information on the DoH protocol, refer to RFC 8484  published by the Internet Engineering Task Force (IETF).

All major browsers support, or will soon support, DNS over HTTPS (DoH). While DoH offers privacy benefits to users, it also safeguards against attempts to bypass an organization's security policies and malware that evades detection by leveraging DoH to conceal its traffic. Organizations aiming to enforce security policy through DNS may want to prevent the circumvention of these measures via third-party DoH servers. To address this, DNS over HTTPS (DoH) provides a threat intelligence feed called "Public-DoH" (public-doh.infoblox.local). This feed includes domains associated with threats, and DoH also responds negatively to "DoH Canary" domains (e.g., http://use-application-dns.net), signaling compliant browsers not to use DoH within the current environment. Depending on the browser configuration, the browsers will gracefully revert to the organization's managed DNS without disrupting user activity. The Infoblox DoH solution encompasses multiple tools described in the Infoblox DNS over HTTPS (DoH) solution, ensuring comprehensive coverage for your organization's robust DoH network.

Infoblox DoH Feeds

Infoblox offers DoH service and provides DoH feeds to block open DoH infrastructure. For information, see Adding DoH Feeds to a Security Policy.  

Infoblox Agentless Support for DoH

For Infoblox Threat Defense Business Cloud and Advanced entitlements, Infoblox supports DNS resolution over direct, encrypted DoH (DNS over HTTPS) as well as unencrypted DNS for customer-approved external networks. This eliminates the need for deploying Infoblox Endpoint or defining public subnets (External Networks), simplifying your network architecture. For more information about External Networks, refer to Configuring External Networks.

This feature also enables integration with various security solutions, such as Secure Service Edge (SSE), web proxies, VPNs, and others, to support a comprehensive and robust security posture. For information on using agentless support for DNS resolution over direct, encrypted DoH see Implementing Clients over DoH.

A Comparison of DNS over HTTPS (DoH) to Transport Layer Security (DoT)

To view a comparison of DoH and DoT, see A Comparison of DNS over HTTPS (DoH) to Transport Layer Security (DoT).