For years, “DNS control” in enterprise networks rested on a simple assumption: a client reaches the corporate resolver over UDP/53 (and occasionally TCP/53); a proxy/firewall/DNS filtering layer sees the traffic, keeps records, and blocks when needed. DoH (DNS over HTTPS), DoT (DNS over TLS), and DoQ (DNS over QUIC) invalidate that assumption.
This shift isn’t a “we encrypted DNS, we’re done” moment. From the enterprise side, it raises two questions at once:
- Policy: Can clients pick “their own resolver” and bypass corporate policy?
- Visibility: When the DNS signal disappears, how do you handle incident triage, threat hunting, and egress control?
In this article I lay out a product-agnostic, operations-focused framework: instead of getting trapped between banning DoH/DoT/DoQ outright or freely allowing it, design a controlled transition.
1) Threat model: what does DoH/DoT/DoQ actually change?
What changes on the enterprise side:
- DNS telemetry (domain, query type, NX ratio, resolver behavior) may no longer be readily readable by “network gear.”
- Some client applications use a hardcoded resolver or a “secure DNS” setting to bypass the corporate resolver.
- Because DoH traffic is buried inside HTTPS, breaking it out with simple port blocking is hard (especially against the large provider endpoints).
What doesn’t change:
- The enterprise still owns the egress boundary: “which device is going to which endpoint, and why?”
- During an incident, the same questions still get asked: “Which domain did this client go to, when, and which IP did it resolve to?“
2) Pick the corporate goal: control, compliance, or user experience?
DoH/DoT/DoQ policy is not a one-line “on/off” decision. Typical goals:
- Security: block malware/phishing domains, see DNS tunneling signals.
- Compliance: keep records, produce evidence at incident time.
- Performance: improve edge resolver cache hit rate, reduce latency.
- Privacy: minimize DNS metadata even on the internal network.
These goals can clash. So instead of “one product,” pin down a design principle.
3) Architectural choices: 3 practical models
Model A — Internal resolver + open DoH/DoT/DoQ closed (strict)
- At egress, controlling ports like 853/TCP (DoT) and 784/UDP (DoQ) is relatively straightforward.
- DoH (443) is harder because it lives inside “HTTPS”; the approach here usually shifts toward techniques like a known DoH endpoint list + SNI/ALPN policy (varies by product).
The risk: if you enforce policy as “complete blocking,” the wrong threshold can lead to customer loss (or to a culture of operational bypass).
Model B — The corporate resolver serves DoH/DoT (managed)
When the requirement to enable “secure DNS” on clients comes up, the best answer is: DoH/DoT support on the corporate resolver layer itself.
The win:
- Encrypted transport + corporate policy delivered at the same time.
- DNS telemetry and audit don’t disappear; “visibility” is preserved.
Model C — Split policy: managed devices vs. unmanaged devices
- Managed devices: corporate resolver + identity/policy (via MDM/EDR)
- Unmanaged: guest network, BYOD → separate policy, separate resolver
This model avoids the “treat everyone with the same rule” mistake.
4) Visibility: even without DNS logs, you can still produce signal
When DNS logs disappear, what remains in your hands:
- Egress firewall/proxy logs (IP/port, SNI, cert metadata)
- NetFlow/IPFIX/sFlow (flow level)
- Endpoint telemetry (EDR, browser policy events)
- On the resolver side (if available), query logs
But your goal should be this: to make DNS visible again, the move isn’t “decrypt the packet”; it’s to produce a signal that’s enough to make a decision.
In practice, these metrics are very valuable:
doh_requests_total(443 traffic going to defined endpoints)dns_fail_open_events(policy bypass / fallback)nx_ratioand “domain entropy” (proxy signals for tunneling suspicion)
5) Operational runbook: what do I check during a DoH/DoT/DoQ incident?
5.1 Symptom: “Some users can’t reach the site”
- Is it DNS, or TLS? (SNI/cert error vs. resolution failure?)
- Is “secure DNS” enabled on the client? (browser/OS policy)
- Is it using the corporate resolver, or public DoH?
- Did the egress policy misclassify a DoH endpoint?
5.2 Symptom: “DNS logs are gone / SIEM correlation broke”
- Which layer was DNS signal being collected from? (resolver, firewall, proxy?)
- Did a new client update flip DoH on by default?
- Is “managed DoH” (a corporate endpoint) in place? If not, plan it.
5.3 Symptom: “Suspected data exfiltration / DNS tunneling”
- Are domain entropy / query pattern anomalies present?
- Is flow volume drifting from the normal DNS profile? (bytes/query)
- Has DoH traffic spiked on a per-client basis?
6) Closing: treat encrypted DNS as a design input, not an enemy
Approaching DoH/DoT/DoQ as “ban it or let it loose” usually creates a bypass culture or destroys visibility in most enterprises. The right approach:
- Make the corporate resolver a control plane
- On managed devices, lean toward a “managed secure DNS” model
- For visibility, generate decision signals instead of “decrypting packets”
- Stand up runbooks and metrics from day one
In an encrypted-DNS world, success isn’t about hiding DNS; it’s about making DNS behavior operationally manageable.