DNS over HTTPS (DoH)
What is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a secure protocol for performing Domain Name System (DNS) resolution over the HTTPS protocol. Instead of traditional DNS queries being sent in plaintext over UDP or TCP (typically on port 53), DoH encrypts DNS queries and responses inside standard HTTPS traffic (typically on port 443). This provides confidentiality, integrity, and privacy for DNS lookups by preventing intermediaries (such as ISPs, network administrators, or malicious actors) from monitoring or manipulating DNS traffic in transit.
The HYAS Protect Agent leverages DoH to securely transmit DNS queries and responses between the endpoint device and HYAS Protect’s authoritative infrastructure.
Why Does HYAS Protect Use DoH?
Using DoH within the HYAS Protect Agent delivers several key security, privacy, and reliability benefits:
Data Confidentiality: DoH encrypts DNS queries and responses, preventing third parties from intercepting, monitoring, or modifying DNS traffic.
Tamper Resistance: Because DoH uses HTTPS, it inherits the integrity protections of TLS (Transport Layer Security), which help prevent DNS spoofing or man-in-the-middle attacks.
Bypass Local Interference: Traditional DNS traffic can be intercepted or redirected by local networks, captive portals, or compromised routers. DoH allows the Agent to bypass local DNS resolvers and communicate directly with HYAS Protect servers.
Consistency Across Networks: DoH ensures that policy enforcement, threat detection, and resolution decisions remain consistent regardless of where the endpoint is located (on-prem, remote, public Wi-Fi, etc.).
How Does DoH Work in HYAS Protect Agent?
Here is a simplified flow of how the HYAS Protect Agent utilizes DoH:
DNS Query Initiation
When an application or service on the endpoint attempts to resolve a domain name, the request is intercepted by the HYAS Protect Agent operating as the local DNS resolver.DoH Request Generation
The Agent encapsulates the DNS query into an HTTPS request according to the DoH specification (RFC 8484). This request is encrypted using TLS.Secure Transmission
The encrypted HTTPS request is sent directly to HYAS Protect’s authoritative DoH endpoint over port 443, bypassing traditional DNS infrastructure.Resolution and Verdict Evaluation
HYAS Protect’s Decision Engine processes the query, evaluates threat intelligence, policies, and behavioral analytics, and returns a resolution verdict (allow, block, redirect, etc.).Response Decryption and Delivery
The Agent decrypts the HTTPS response, applies the verdict locally, and responds to the original application with the resolved IP address or appropriate block/redirect behavior.
Technical Standards Referenced
RFC 8484 — DNS Queries over HTTPS (DoH)
TLS 1.2 / TLS 1.3 — Encryption and secure transport layer protocols
HTTP/2 or HTTP/3 — Depending on infrastructure, DoH traffic may leverage newer, more efficient HTTP protocols (HYAS infrastructure supports this as appropriate)
Advantages of DoH vs Traditional DNS
Traditional DNS | DNS over HTTPS (DoH) |
|---|---|
Unencrypted (plain text over UDP/TCP 53) | Encrypted (TLS 1.2+/HTTPS over TCP 443) |
Susceptible to interception or manipulation | Confidential and tamper-resistant |
Easily observed or blocked by network operators | Resembles standard web traffic, harder to block |
Subject to ISP or network DNS policies | Fully controlled by HYAS Protect policies |
Cannot natively authenticate the resolver | Authenticated end-to-end connection |
Considerations for Enterprises
Policy Enforcement: Because DoH routes all DNS requests through HYAS Protect, enterprise policies are consistently enforced regardless of network location.
Visibility: DNS logs and telemetry are securely sent to HYAS Protect for monitoring, reporting, and incident response.
Reduced Attack Surface: By avoiding local or ISP DNS resolvers, exposure to poisoned caches, spoofing, or compromised infrastructure is minimized.
Compatibility: Because DoH operates over HTTPS, it is generally compatible with most firewalls and proxy configurations, requiring only outbound HTTPS access.
Summary
By implementing DNS over HTTPS within the HYAS Protect Agent, HYAS delivers highly secure, resilient, and policy-consistent DNS resolution for enterprises. DoH forms a critical part of HYAS Protect’s broader Protective DNS approach, ensuring that DNS queries are not only resolved securely, but also evaluated against real-time intelligence to proactively block malicious infrastructure before threats can take hold.