DNS over HTTPS: Privacy vs Control

DNS over HTTPS (DoH), specified in RFC 8484, wraps DNS queries inside standard HTTPS connections to port 443. From the network perspective, DoH traffic is indistinguishable from regular web browsing, which makes it nearly impossible for on-path observers — ISPs, captive portals, corporate firewalls — to inspect or block DNS queries without broad TLS interception. For users on untrusted networks, this is a meaningful privacy improvement.

The controversy centers on visibility. Enterprise security teams rely on DNS logging and filtering to detect malware command-and-control channels, enforce acceptable-use policies, and block phishing domains. When applications bypass the system resolver and send queries directly to a third-party DoH endpoint, those protections evaporate. Network administrators lose the ability to see, let alone control, the DNS traffic flowing through their infrastructure.

The ecosystem has responded with compromise approaches: discovery mechanisms that let clients find a local DoH-capable resolver (DDR, RFC 9462), split-horizon configurations, and browser policies that defer to enterprise-managed resolvers. The debate is less about encryption itself — almost everyone agrees DNS should be encrypted — and more about who holds the keys to the resolution path.