The DNS layer has long been a quiet workhorse of network operations, translating human‑readable hostnames into IP addresses. Recent years have seen a rapid migration toward encrypted DNS transports—most notably DNS‑over‑HTTPS (DoH). Proponents argue that DoH protects user privacy and thwarts on‑path eavesdropping. While the privacy argument holds merit for consumer traffic, the wholesale enforcement of DoH inside corporate environments introduces a suite of unintended security consequences that many organizations overlook until they surface in a breach or compliance audit.
1. Loss of Granular Telemetry
Traditional DNS queries traverse clear‑text UDP or TCP on port 53. This visibility enables security appliances—next‑generation firewalls (NGFWs), intrusion detection systems (IDS), and SIEMs—to log every request, correlate domains with threat intel, and enforce policy based on known malicious hostnames. When DNS traffic is tunneled through HTTPS, it becomes indistinguishable from ordinary web traffic on port 443. Even deep‑packet inspection (DPI) tools that rely on port or protocol signatures can no longer separate DNS from regular HTTP(S) flows without costly TLS termination.
As a result, organizations lose the ability to:
- Identify anomalous domain‑lookup patterns that precede command‑and‑control (C2) activity.
- Correlate failed lookups with potential phishing or typo‑squatting attacks.
- Apply domain‑based allow‑list or block‑list controls at the network edge.
2. Shadow DNS Resolvers and Policy Drift
DoH clients are typically configured to reach public resolvers such as Cloudflare (1.1.1.1) or Google (8.8.4.4). In a tightly controlled corporate network, DNS traffic is usually forced through internal resolvers that enforce corporate policy, log queries, and apply security controls like DNS‑based filtering. When a device is forced to use an external DoH endpoint, it bypasses those controls entirely, creating a "shadow resolver" that operates outside the organization’s policy framework.
This drift can be subtle. A single mis‑configured workstation or a mobile device that automatically enables DoH in its OS can become a conduit for malware that resolves malicious domains without triggering any alert. Over time, the cumulative effect erodes the effectiveness of network‑wide DNS security measures.
3. Complicating Incident Response and Forensics
When a breach occurs, investigators rely on DNS logs to reconstruct the timeline of an attacker’s movements. Encrypted DNS removes that breadcrumb trail. Even if TLS termination is performed at a corporate proxy, the additional latency and processing overhead often leads organizations to bypass the proxy for DoH traffic, opting instead for a direct‑to‑resolver model. The end result is a forensic blind spot.
Moreover, many forensic tools parse DNS query/response pairs to enrich alerts from endpoint detection and response (EDR) platforms. Without those records, the correlation engine loses a critical data source, increasing false‑negative rates and prolonging dwell time.
4. Compliance Implications
Regulations such as PCI‑DSS, HIPAA, and the upcoming EU Cybersecurity Act require organizations to retain network logs for a defined period and to demonstrate that traffic is monitored for malicious activity. Encrypted DNS challenges both requirements:
- Log retention: DoH traffic does not generate the same level of log data as traditional DNS, making it harder to satisfy audit log completeness.
- Monitoring obligations: The inability to inspect DNS queries may be interpreted as a failure to monitor inbound and outbound communications adequately.
Auditors are increasingly questioning the “privacy‑first” justification for DoH in environments where the organization has a duty to protect regulated data. In some jurisdictions, the use of an external resolver that stores query data outside the organization’s control could be deemed a data‑transfer violation.
5. Operational Overhead and Compatibility Issues
Deploying DoH at scale is not a simple “flip‑the‑switch” operation. It requires:
- Updating endpoint OS settings, browsers, and applications to point to the chosen DoH provider.
- Ensuring that internal DNS security services (e.g., DNS‑based web filtering, RPZ, DNS‑SEC validation) are replicated or proxied by the DoH service.
- Implementing TLS termination points if the organization wishes to retain any visibility, which adds hardware costs and introduces potential TLS termination vulnerabilities.
Many enterprises find that the operational cost of maintaining parallel DNS stacks—one for internal policy enforcement and another for DoH compliance—outweighs the privacy benefits for internal traffic.
6. The “Privacy vs. Security” Trade‑off Re‑examined
The core argument for DoH is user privacy. In a corporate setting, however, the primary threat model is not passive eavesdropping but active adversaries seeking to exfiltrate data, move laterally, or establish C2 channels. The loss of DNS visibility directly assists those adversaries by hiding their beaconing traffic from detection tools that would otherwise flag suspicious domain resolutions.
A balanced approach acknowledges that privacy is still valuable—for example, protecting employee browsing habits from internal surveillance—but it should not be achieved at the expense of core security controls. Selective encryption, where only external, non‑corporate traffic is sent via DoH, preserves privacy without sacrificing the protective functions of internal DNS infrastructure.
7. Recommendations for a Measured Deployment
Enterprises that still wish to adopt DoH should consider the following safeguards:
- Deploy a corporate DoH resolver. Run an internal DoH service that forwards queries to the organization’s authoritative resolvers. This retains policy enforcement while providing encrypted transport.
- Whitelist approved DoH endpoints. Use network access control (NAC) or firewall rules to restrict DoH traffic to a curated list of internal resolvers.
- Maintain split‑DNS architecture. Route internal domain queries to internal DNS over clear‑text (or DNS‑SEC) while sending only external queries through DoH.
- Log TLS handshakes. Capture Server Name Indication (SNI) fields from TLS handshakes to at least identify the destination DoH server, providing a minimal level of visibility.
- Integrate with DNS‑SEC. Ensure the corporate DoH resolver validates DNSSEC signatures, preserving integrity guarantees.
- Audit regularly. Conduct periodic reviews to confirm that no device is bypassing corporate DoH controls via local configuration or third‑party applications.
Conclusion
DNS‑over‑HTTPS is a powerful tool for protecting user privacy, but its blanket enforcement inside corporate networks can unintentionally cripple the very security monitoring capabilities that protect enterprises from sophisticated threats. By understanding the hidden costs—loss of telemetry, shadow resolvers, forensic blind spots, compliance challenges, and operational overhead—security leaders can make informed decisions about where and how to apply DoH. A nuanced, hybrid strategy that encrypts external DNS traffic while preserving internal visibility offers the best of both worlds: privacy for end users and the data richness necessary for robust security operations.