1meg
Back to Articles
NetworkingNovember 25, 20247 min read

DNS over HTTPS (DoH): Privacy vs Control

How encrypted DNS changes the game for privacy and what it means for network administrators.

DNS over HTTPS (DoH): Privacy vs Control


Traditional DNS is sent in plaintext, meaning anyone between you and the DNS server can see every domain you look up. DNS over HTTPS changes that.


How DoH Works


Instead of sending DNS queries on port 53, DoH wraps them in HTTPS on port 443. The queries go to a resolver (like Cloudflare's 1.1.1.1 or Google's 8.8.8.8) over an encrypted connection.


Benefits:

  • ISPs can't see your DNS queries
  • Man-in-the-middle attacks are harder
  • DNS responses can't be tampered with easily

    • The Controversy


    Network Administrators Hate It


    Enterprise networks use DNS for:

  • Content filtering
  • Security monitoring
  • Internal service discovery
  • Compliance logging

    • When browsers bypass the network's DNS and use their own resolver, all of this breaks.


    Privacy Advocates Love It


    Your ISP can no longer:

  • Sell your browsing history
  • Inject ads based on your queries
  • Block domains without you knowing

    • The Reality


    Most browsers now support DoH but respect network signals to disable it in enterprise environments. Firefox pioneered this with "canary domains" that indicate a network wants to use its own DNS.


    My Take


    Use DoH on personal devices on untrusted networks. Respect your organization's DNS policies at work. Consider running your own DoH resolver (like Pi-hole with DoH) for the best of both worlds.

    All Articles