If you’ve noticed unusual activity on your systems and aren’t sure how to respond, contact our experts from Zensec immediately, the team can help you investigate and protect your business.
The rise of DNS over HTTPS (DoH) and DNS over TLS (DoT) has sparked debate among IT security professionals, IT leaders and network professionals. The implementation of DoH and DoT promises improved privacy and protection for end users. However, for businesses, it introduces significant risks over its benefits. All organisations should understand the importance of this technology, the blind spots it introduces in protecting networks and the mitigations that can be implemented to combat the risks.
What is DoH / DoT?
DNS over HTTPS is a protocol that encrypts DNS queries by sending them through an HTTPS connection rather than the traditional plain-text UDP/TCP channels.
Whereas DNS over TLS (DoT) is a protocol that encrypts DNS queries by sending them through a Transport Layer Security (TLS) connection instead of the traditional plain-text UDP/TCP channels. It runs on a dedicated port (TCP 853) and ensures that DNS lookups are protected from interception or tampering by encrypting the communication between the client and the DNS resolver.
The aim is to:
- Prevent eavesdropping by ISPs or potential attackers from traditional DNS.
- Enhance privacy for consumers, particularly on untrusted networks such as public Wi-Fi.
- For DoT it makes DNS lookups blend in with normal HTTPS traffic.
While these features sound appealing, they are designed with individual users in mind and not business environments that rely on DNS visibility and control for security.
How do attackers exploit DoH?
What was built to improve privacy is now increasingly abused by cybercriminals:
- Malware & C2 Channels – Malicious tools like the Godlua backdoor hide their command-and-control (C2) communications inside DoH traffic. PsiXBot hardcodes Google’s DoH servers to bypass corporate DNS filters.
- APT Activity – The threat group ChamelGang uses malware with embedded DoH resolvers to mask C2 traffic. Instructions are delivered through DNS TXT records, making activity harder to detect.
In short, DoH gives attackers a covert channel to communicate without triggering traditional DNS-based security controls using built-in code for DoH.
Where may I have DoH / DoT use today?
Organisations are likely to have devices using DoH / DoT due to the following:
- Browser Support – Most modern browsers including Chrome, Firefox, Edge, and Opera all support DoH at the application level. This means even if an enterprise controls DNS at the network level, applications may bypass it. Users may have enabled the feature.
- Operating System Integration – Windows 11 includes built-in DoH support, which can be enabled by users or manipulated by malicious actors to prevent DNS detections.
Why businesses should be concerned
Security analysts and toolsets rely on DNS visibility for:
- Threat detection (spotting unusual lookups to malicious domains).
- Policy enforcement (blocking inappropriate or risky content).
- Incident response (tracing malware communication patterns).
When DNS queries are encrypted and routed to external resolvers, these capabilities vanish. That can leave defenders blind to DNS requests by malicious activity, insider threats, or policy violations.
The loss of enterprise security controls outweighs the protections offered by DoH / DoT in most businesses.
Recommendations for businesses
Where businesses decide to remove DoH:
- Using your firewall and log data monitor for DoH and DoT use and investigate the cause. Look for signs of patterns or spikes which may indicate malicious activity.
- Control browser behaviour via Group Policy Objects (GPOs), mobile device management (MDM), or endpoint configuration tools to disable DoH at the browser level.
- Perform the same at the operating system level and ensure all devices use the designated DNS hosts you provide.
- Block and disable DoH and DoT at the firewall.
Where DoH activity still attempts to go outbound after browser and OS changes thoroughly investigate the cause and assume breach with continuous monitoring for new activity.
Alternative to disabling DoH
For organisations which may wish to embrace DoH rather than disable it outright. Zensec can provide recommendations upon request but for the majority, disabling DoH is the probable path due to the financial cost and resource effort for combating this blind spot. A well thought out plan to go fully onboard with DoH with visibility can take significant time and cost which will likely outweigh most businesses security budgets in the SME space. Bear in mind that not all devices and applications can support DoH.
References:
- https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module
- https://detect.fyi/detecting-dns-over-https-30fddb55ac78
- https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/
- https://www.bleepingcomputer.com/news/security/chinese-hackers-use-dns-over-https-for-linux-malware-communication/
- https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF