Understanding DNS over HTTPS (DOH) and Agent Behavior
Table of Contents
This article explains how DNS over HTTPS (DOH) works, how agents manage DNS settings, and how request tracking is handled in environments using both DOH and IP-based location tracking.
🔑 Key Concepts
- DOH (DNS over HTTPS): Encrypts DNS queries, replacing IP-based tracking with UUIDs for better device-level visibility.
- Agent Behavior: The agent sets DNS to 127.0.0.1 and reverts to auto when stopped. It ensures DOH is prioritized.
- Request Tracking: Each DNS request has a single source, either an IP address or a UUID. There’s no duplication or reconciliation between the two.
🔧 Technical Details
📜 DNS Protocol Limits
As defined in https://datatracker.ietf.org/doc/html/rfc1034, traditional DNS provides only four pieces of information:
- Source IP Address – where the request originated (e.g., a user’s device or office router)
- Destination IP Address – the DNS server receiving the request
- Question – the domain being queried (e.g., “Where is google.com?”)
- Answer – the resolved IP address (e.g., “8.8.8.8”)
This simplicity limits visibility and traceability in modern, mobile-first environments.
🔐 DOH vs. Location-Based Tracking
Feature | DOH (DNS over HTTPS) | Location-Based DNS |
---|---|---|
Source Identifier | UUID (device-specific) | IP Address (network-based) |
Encryption | Yes (via HTTPS) | No |
Firewall Visibility | Hidden from local firewalls | Visible to local firewalls |
Tracking Granularity | Per-device | Per-network |
Fallback Behavior | Falls back to IP-based DNS | No fallback |
DOH is prioritized when both are configured. It is not that location is “overridden,” but rather “upgraded” to a more secure and granular method.
🔄 DNS Resolution Stages
Initial Resolution (IP-based)
The device uses traditional DNS to resolve the IP of the DOH server (e.g., uuid.doh.cyberfox.com
).
DOH Server IP Resolution
The DNS server returns the IP address of the DOH endpoint (e.g., hosted on AWS).
Test Query to DOH Server
A test DNS query is sent to the DOH server to verify connectivity and response.
Switch to Encrypted DOH
If the test is successful, all future DNS queries are encrypted and routed via HTTPS.
Fallback to IP-Based DNS
If the DOH server is unreachable, the system reverts to IP-based DNS to maintain connectivity.
🧬 UUID Tracking
UUIDs (Universally Unique Identifiers) are assigned to devices and used in DOH to:
- Identify individual machines regardless of IP address
- Enable consistent tracking across networks (e.g., office, home, mobile)
- Improve policy enforcement and analytics
🛡️ Security and Policy Implications
- Encrypted DNS Traffic: Prevents DNS hijacking, spoofing, and surveillance.
- Bypasses Local DNS Rules: Office routers cannot intercept or redirect DOH traffic.
- Immutable History: Requests from DOH and location-based sources are stored separately and not reconciled due to performance and integrity constraints.
-
Always-Allowed Domains: Critical domains like
microsoft.com
,cyberfox.com
, andautoelevate.com
are always resolvable to ensure fallback and recovery.
🧪 Examples of DOH in Action
Example 1: Remote Employee on Public Wi-Fi
Scenario:
A remote employee connects to a public Wi-Fi network at a coffee shop. The network is configured to redirect DNS queries to its own DNS server for logging and filtering.
With DOH Enabled:
- The employee’s device uses DNS over HTTPS (DOH) to encrypt DNS queries.
- The DNS requests are sent over HTTPS to the CyberFOX DNS-over-HTTPS (DOH) server.
- The coffee shop’s router cannot inspect or redirect the DNS traffic.
- The company can still identify the device using its UUID and apply appropriate filtering and logging.
Outcome:
The employee’s DNS traffic remains private and secure, and the company retains visibility and control.
Example 2: Office Device with DOH and Location-Based DNS
Scenario:
A laptop is connected to the corporate office network, which uses IP-based location tracking for DNS resolution. The device is also configured with DOH via the company’s agent.
Behavior:
- The agent overrides the system DNS settings to 127.0.0.1.
- The device first resolves the DOH server’s IP using location-based DNS.
- Once the DOH server is reachable, all DNS queries are encrypted and routed via HTTPS.
- The router sees only encrypted HTTPS traffic and cannot inspect DNS queries.
Outcome:
The device transitions seamlessly from location-based DNS to DOH. The company sees the request as coming from the device’s UUID, not the office IP, and applies DOH-based policies.