US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese
  • Home
  • CyberFOX DNS Filtering
  • Roaming Clients

Understanding DNS over HTTPS (DOH) and Agent Behavior

Written by Owen Parry

Updated at August 5th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing How to Videos
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • CyberFOX DNS Filtering
    Getting Started Filtering Policies Company and Location Setup Roaming Clients Reporting and Logging
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
  • Changelogs for Autoelevate and Password Boss
  • Current Status
+ More

Table of Contents

🔑 Key Concepts 🔧 Technical Details 📜 DNS Protocol Limits 🔐 DOH vs. Location-Based Tracking 🔄 DNS Resolution Stages 🧬 UUID Tracking 🛡️ Security and Policy Implications 🧪 Examples of DOH in Action Example 1: Remote Employee on Public Wi-Fi Example 2: Office Device with DOH and Location-Based DNS

This article explains how DNS over HTTPS (DOH) works, how agents manage DNS settings, and how request tracking is handled in environments using both DOH and IP-based location tracking.


🔑 Key Concepts

  • DOH (DNS over HTTPS): Encrypts DNS queries, replacing IP-based tracking with UUIDs for better device-level visibility.
  • Agent Behavior: The agent sets DNS to 127.0.0.1 and reverts to auto when stopped. It ensures DOH is prioritized.
  • Request Tracking: Each DNS request has a single source, either an IP address or a UUID. There’s no duplication or reconciliation between the two.

🔧 Technical Details 

📜 DNS Protocol Limits

As defined in https://datatracker.ietf.org/doc/html/rfc1034, traditional DNS provides only four pieces of information:

  • Source IP Address – where the request originated (e.g., a user’s device or office router)
  • Destination IP Address – the DNS server receiving the request
  • Question – the domain being queried (e.g., “Where is google.com?”)
  • Answer – the resolved IP address (e.g., “8.8.8.8”)

This simplicity limits visibility and traceability in modern, mobile-first environments.

🔐 DOH vs. Location-Based Tracking

Feature DOH (DNS over HTTPS) Location-Based DNS
Source Identifier UUID (device-specific) IP Address (network-based)
Encryption Yes (via HTTPS) No
Firewall Visibility Hidden from local firewalls Visible to local firewalls
Tracking Granularity Per-device Per-network
Fallback Behavior Falls back to IP-based DNS No fallback

DOH is prioritized when both are configured. It is not that location is “overridden,” but rather “upgraded” to a more secure and granular method.


🔄 DNS Resolution Stages

Initial Resolution (IP-based)
The device uses traditional DNS to resolve the IP of the DOH server (e.g., uuid.doh.cyberfox.com).

DOH Server IP Resolution
The DNS server returns the IP address of the DOH endpoint (e.g., hosted on AWS).

Test Query to DOH Server
A test DNS query is sent to the DOH server to verify connectivity and response.

Switch to Encrypted DOH
If the test is successful, all future DNS queries are encrypted and routed via HTTPS.

Fallback to IP-Based DNS
If the DOH server is unreachable, the system reverts to IP-based DNS to maintain connectivity.


🧬 UUID Tracking

UUIDs (Universally Unique Identifiers) are assigned to devices and used in DOH to:

  • Identify individual machines regardless of IP address
  • Enable consistent tracking across networks (e.g., office, home, mobile)
  • Improve policy enforcement and analytics

🛡️ Security and Policy Implications

  • Encrypted DNS Traffic: Prevents DNS hijacking, spoofing, and surveillance.
  • Bypasses Local DNS Rules: Office routers cannot intercept or redirect DOH traffic.
  • Immutable History: Requests from DOH and location-based sources are stored separately and not reconciled due to performance and integrity constraints.
  • Always-Allowed Domains: Critical domains like microsoft.com, cyberfox.com, and autoelevate.com are always resolvable to ensure fallback and recovery.

🧪 Examples of DOH in Action

Example 1: Remote Employee on Public Wi-Fi

Scenario:
A remote employee connects to a public Wi-Fi network at a coffee shop. The network is configured to redirect DNS queries to its own DNS server for logging and filtering.

With DOH Enabled:

  • The employee’s device uses DNS over HTTPS (DOH) to encrypt DNS queries.
  • The DNS requests are sent over HTTPS to the CyberFOX DNS-over-HTTPS (DOH) server.
  • The coffee shop’s router cannot inspect or redirect the DNS traffic.
  • The company can still identify the device using its UUID and apply appropriate filtering and logging.

Outcome:
The employee’s DNS traffic remains private and secure, and the company retains visibility and control.


Example 2: Office Device with DOH and Location-Based DNS

Scenario:
A laptop is connected to the corporate office network, which uses IP-based location tracking for DNS resolution. The device is also configured with DOH via the company’s agent.

Behavior:

  • The agent overrides the system DNS settings to 127.0.0.1.
  • The device first resolves the DOH server’s IP using location-based DNS.
  • Once the DOH server is reachable, all DNS queries are encrypted and routed via HTTPS.
  • The router sees only encrypted HTTPS traffic and cannot inspect DNS queries.

Outcome:
The device transitions seamlessly from location-based DNS to DOH. The company sees the request as coming from the device’s UUID, not the office IP, and applies DOH-based policies.

client actions secure dns

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Understanding DNS Filtering
  • System Overview – How It Works
  • Disable Emergency Access
  • Deploying Roaming client via RMM tools
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand