US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese
  • Home
  • CyberFOX DNS Filtering
  • Roaming Clients

Understanding DNS over HTTPS (DoH)

Written by Owen Parry

Updated at September 30th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing How to Videos
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • CyberFOX DNS Filtering
    Getting Started Filtering Policies Company and Location Setup Roaming Clients Reporting and Logging Troubleshooting
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
  • Changelogs for Autoelevate and Password Boss
  • CyberFOX Product Roadmap
  • Current Status
+ More

Table of Contents

What Is DoH? Benefits of Using DoH Encrypted DNS Traffic Firewall Evasion Device Compatibility CyberFOX Agent and DoH UUID-Based Tracking Local DNS Resolution Fallback Control Limitations of DoH Limited Network-Level Control Requires Endpoint Support When to Use DoT Instead Summary: DoH vs Agent vs DoT Technical Details DNS Protocol Limits DNS Resolution Stages UUID Tracking Security and Policy Implications Examples of DoH in Action Example 1: Remote Employee on Public Wi-Fi Example 2: Office Device with DoH and Location-Based DNS

DNS over HTTPS (DoH) is a secure protocol that encrypts DNS queries using HTTPS, protecting them from interception, manipulation, and surveillance. DoH is especially effective in environments where privacy, mobility, and firewall resilience are critical.

CyberFOX supports DoH both natively and through our Agent, which enhances DoH with UUID tracking, fallback control, and centralized policy enforcement..

 

What Is DoH?


DoH sends DNS queries over HTTPS (port 443), making them indistinguishable from regular web traffic. This prevents third parties—such as ISPs, attackers, or restrictive networks—from detecting or blocking DNS requests.

Unlike DNS over TLS (DoT), which uses a dedicated port (853), DoH blends into standard web traffic, offering greater resilience in public and mobile environments.

 

Benefits of Using DoH


Encrypted DNS Traffic

DoH ensures that DNS queries are encrypted from the device to the resolver, protecting user privacy and preventing tampering.

Firewall Evasion

Because DoH uses port 443, it is highly resistant to blocking or redirection. This makes it ideal for:

  • Public Wi-Fi
  • Captive portals
  • Networks with aggressive filtering

Device Compatibility

DoH is supported by:

  • Browsers like Chrome, Firefox, and Edge
  • Operating systems including Windows and macOS
  • Mobile platforms such as Android (Samsung) and iOS

 

CyberFOX Agent and DoH


The CyberFOX Agent is a lightweight service that enhances DoH functionality with additional enterprise-grade features:

UUID-Based Tracking

Each device is assigned a unique identifier (UUID), allowing:

  • Per-device policy enforcement
  • Centralized logging and analytics
  • Consistent behavior across networks

Local DNS Resolution

The Agent sets DNS to 127.0.0.1 Intercepts queries locally and securely forwards them using DoH. This ensures:

  • Fast resolution
  • Encrypted transport
  • Applications using alternative DNS are intercepted and filtered.
  • Reliable fallback behavior

Fallback Control

If DoH fails due to network restrictions, the Agent can:

  • Fall back to IP-based DNS
  • Maintain connectivity without compromising visibility
  • Log fallback events for audit and troubleshooting

 

Limitations of DoH


While DoH offers strong privacy and flexibility, it may not be ideal for all environments:

Limited Network-Level Control

DoH traffic is indistinguishable from HTTPS, making it harder for network appliances to apply DNS-specific policies without deep packet inspection.

Requires Endpoint Support

Native DoH requires browser or OS-level configuration. For complete control and visibility, the CyberFOX Agent is recommended.

 

When to Use DoT Instead


DNS over TLS (DoT) may be preferred in:

  • Trusted, managed networks
  • Environments with strict DNS routing requirements
  • Scenarios where port 853 is allowed and monitored

CyberFOX’s DoT implementation supports UUID tracking and converts DoT traffic to DoH at the resolver, ensuring compatibility with our filtering engine.

 

Summary: DoH vs Agent vs DoT

Feature DNS over HTTPS (DoH) CyberFOX Agent DNS over TLS (DoT)
Encryption HTTPS over port 443 HTTPS over 443 TLS over port 853
UUID Tracking ✅ Supported ✅ Supported ✅ Supported
Firewall Evasion ✅ High ✅ High ❌ Low
Fallback Control ✅ Fallback to IP Based DNS ✅ Managed ✅ Optional
Best Use Case Public Wi-Fi, mobile, roaming Roaming, full control Trusted networks
Requires Agent ❌ No ✅ Yes ❌ No

 

Technical Details


DNS Protocol Limits

As defined in https://datatracker.ietf.org/doc/html/rfc1034, traditional DNS provides only four pieces of information:

  • Source IP Address – where the request originated (e.g., a user’s device or office router)
  • Destination IP Address – the DNS server receiving the request
  • Question – the domain being queried (e.g., “Where is google.com?”)
  • Answer – the resolved IP address (e.g., “8.8.8.8”)

This simplicity limits visibility and traceability in modern, mobile-first environments.

 

DNS Resolution Stages

Initial Resolution (IP-based)
The device uses traditional DNS to resolve the IP of the DoH server (e.g., uuid.doh.cyberfox.com).

DoH Server IP Resolution
The DNS server returns the IP address of the DoH endpoint (e.g., hosted on AWS).

Test Query to DoH Server
A test DNS query is sent to the DoH server to verify connectivity and response.

Switch to Encrypted DoH
If the test is successful, all future DNS queries are encrypted and routed via HTTPS.

Fallback to IP-Based DNS
If the DoH server is unreachable, the system reverts to IP-based DNS to maintain connectivity.

 

UUID Tracking

UUIDs (Universally Unique Identifiers) are assigned to devices and used in DoH to:

  • Identify individual machines regardless of IP address
  • Enable consistent tracking across networks (e.g., office, home, mobile)
  • Improve policy enforcement and analytics

 

Security and Policy Implications

  • Encrypted DNS Traffic: Prevents DNS hijacking, spoofing, and surveillance.
  • Bypasses Local DNS Rules: Office routers cannot intercept or redirect DoH traffic.
  • Immutable History: Requests from DoH and location-based sources are stored separately and not reconciled due to performance and integrity constraints.
  • Always-Allowed Domains: Critical domains like microsoft.com, cyberfox.com, and autoelevate.com are always resolvable to ensure fallback and recovery.

 

Examples of DoH in Action


Example 1: Remote Employee on Public Wi-Fi

Scenario:
A remote employee connects to a public Wi-Fi network at a coffee shop. The network is configured to redirect DNS queries to its own DNS server for logging and filtering.

With DoH Enabled:

  • The employee’s device uses DNS over HTTPS (DoH) to encrypt DNS queries.
  • The DNS requests are sent over HTTPS to the CyberFOX DNS-over-HTTPS (DoH) server.
  • The coffee shop’s router cannot inspect or redirect the DNS traffic.
  • The company can still identify the device using its UUID and apply appropriate filtering and logging.

Outcome:
The employee’s DNS traffic remains private and secure, and the company retains visibility and control.

 

Example 2: Office Device with DoH and Location-Based DNS

Scenario:
A laptop is connected to the corporate office network, which uses IP-based location tracking for DNS resolution. The device is also configured with DoH via the company’s agent.

Behavior:

  • The agent overrides the system DNS settings to 127.0.0.1.
  • The device first resolves the DoH server’s IP using location-based DNS.
  • Once the DoH server is reachable, all DNS queries are encrypted and routed via HTTPS.
  • The router sees only encrypted HTTPS traffic and cannot inspect DNS queries.

Outcome:
The device transitions seamlessly from location-based DNS to DoH. The company sees the request as coming from the device’s UUID, not the office IP, and applies DoH-based policies.

client actions secure dns

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Roaming Devices
  • Deploying Roaming client via RMM tools
  • Agent-Based Devices
  • DNS over TLS (DoT): Secure, Encrypted DNS with UUID Tracking
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand