Table of Contents
DNS over HTTPS (DoH) is a secure protocol that encrypts DNS queries using HTTPS, protecting them from interception, manipulation, and surveillance. DoH is especially effective in environments where privacy, mobility, and firewall resilience are critical.
CyberFOX supports DoH both natively and through our Agent, which enhances DoH with UUID tracking, fallback control, and centralized policy enforcement..
What Is DoH?
DoH sends DNS queries over HTTPS (port 443), making them indistinguishable from regular web traffic. This prevents third parties—such as ISPs, attackers, or restrictive networks—from detecting or blocking DNS requests.
Unlike DNS over TLS (DoT), which uses a dedicated port (853), DoH blends into standard web traffic, offering greater resilience in public and mobile environments.
Benefits of Using DoH
Encrypted DNS Traffic
DoH ensures that DNS queries are encrypted from the device to the resolver, protecting user privacy and preventing tampering.
Firewall Evasion
Because DoH uses port 443, it is highly resistant to blocking or redirection. This makes it ideal for:
- Public Wi-Fi
- Captive portals
- Networks with aggressive filtering
Device Compatibility
DoH is supported by:
- Browsers like Chrome, Firefox, and Edge
- Operating systems including Windows and macOS
- Mobile platforms such as Android (Samsung) and iOS
CyberFOX Agent and DoH
The CyberFOX Agent is a lightweight service that enhances DoH functionality with additional enterprise-grade features:
UUID-Based Tracking
Each device is assigned a unique identifier (UUID), allowing:
- Per-device policy enforcement
- Centralized logging and analytics
- Consistent behavior across networks
Local DNS Resolution
The Agent sets DNS to 127.0.0.1
Intercepts queries locally and securely forwards them using DoH. This ensures:
- Fast resolution
- Encrypted transport
- Applications using alternative DNS are intercepted and filtered.
- Reliable fallback behavior
Fallback Control
If DoH fails due to network restrictions, the Agent can:
- Fall back to IP-based DNS
- Maintain connectivity without compromising visibility
- Log fallback events for audit and troubleshooting
Limitations of DoH
While DoH offers strong privacy and flexibility, it may not be ideal for all environments:
Limited Network-Level Control
DoH traffic is indistinguishable from HTTPS, making it harder for network appliances to apply DNS-specific policies without deep packet inspection.
Requires Endpoint Support
Native DoH requires browser or OS-level configuration. For complete control and visibility, the CyberFOX Agent is recommended.
When to Use DoT Instead
DNS over TLS (DoT) may be preferred in:
- Trusted, managed networks
- Environments with strict DNS routing requirements
- Scenarios where port 853 is allowed and monitored
CyberFOX’s DoT implementation supports UUID tracking and converts DoT traffic to DoH at the resolver, ensuring compatibility with our filtering engine.
Summary: DoH vs Agent vs DoT
Feature | DNS over HTTPS (DoH) | CyberFOX Agent | DNS over TLS (DoT) |
---|---|---|---|
Encryption | HTTPS over port 443 | HTTPS over 443 | TLS over port 853 |
UUID Tracking | ✅ Supported | ✅ Supported | ✅ Supported |
Firewall Evasion | ✅ High | ✅ High | ❌ Low |
Fallback Control | ✅ Fallback to IP Based DNS | ✅ Managed | ✅ Optional |
Best Use Case | Public Wi-Fi, mobile, roaming | Roaming, full control | Trusted networks |
Requires Agent | ❌ No | ✅ Yes | ❌ No |
Technical Details
DNS Protocol Limits
As defined in https://datatracker.ietf.org/doc/html/rfc1034, traditional DNS provides only four pieces of information:
- Source IP Address – where the request originated (e.g., a user’s device or office router)
- Destination IP Address – the DNS server receiving the request
- Question – the domain being queried (e.g., “Where is google.com?”)
- Answer – the resolved IP address (e.g., “8.8.8.8”)
This simplicity limits visibility and traceability in modern, mobile-first environments.
DNS Resolution Stages
Initial Resolution (IP-based)
The device uses traditional DNS to resolve the IP of the DoH server (e.g., uuid.doh.cyberfox.com
).
DoH Server IP Resolution
The DNS server returns the IP address of the DoH endpoint (e.g., hosted on AWS).
Test Query to DoH Server
A test DNS query is sent to the DoH server to verify connectivity and response.
Switch to Encrypted DoH
If the test is successful, all future DNS queries are encrypted and routed via HTTPS.
Fallback to IP-Based DNS
If the DoH server is unreachable, the system reverts to IP-based DNS to maintain connectivity.
UUID Tracking
UUIDs (Universally Unique Identifiers) are assigned to devices and used in DoH to:
- Identify individual machines regardless of IP address
- Enable consistent tracking across networks (e.g., office, home, mobile)
- Improve policy enforcement and analytics
Security and Policy Implications
- Encrypted DNS Traffic: Prevents DNS hijacking, spoofing, and surveillance.
- Bypasses Local DNS Rules: Office routers cannot intercept or redirect DoH traffic.
- Immutable History: Requests from DoH and location-based sources are stored separately and not reconciled due to performance and integrity constraints.
-
Always-Allowed Domains: Critical domains like
microsoft.com
,cyberfox.com
, andautoelevate.com
are always resolvable to ensure fallback and recovery.
Examples of DoH in Action
Example 1: Remote Employee on Public Wi-Fi
Scenario:
A remote employee connects to a public Wi-Fi network at a coffee shop. The network is configured to redirect DNS queries to its own DNS server for logging and filtering.
With DoH Enabled:
- The employee’s device uses DNS over HTTPS (DoH) to encrypt DNS queries.
- The DNS requests are sent over HTTPS to the CyberFOX DNS-over-HTTPS (DoH) server.
- The coffee shop’s router cannot inspect or redirect the DNS traffic.
- The company can still identify the device using its UUID and apply appropriate filtering and logging.
Outcome:
The employee’s DNS traffic remains private and secure, and the company retains visibility and control.
Example 2: Office Device with DoH and Location-Based DNS
Scenario:
A laptop is connected to the corporate office network, which uses IP-based location tracking for DNS resolution. The device is also configured with DoH via the company’s agent.
Behavior:
- The agent overrides the system DNS settings to 127.0.0.1.
- The device first resolves the DoH server’s IP using location-based DNS.
- Once the DoH server is reachable, all DNS queries are encrypted and routed via HTTPS.
- The router sees only encrypted HTTPS traffic and cannot inspect DNS queries.
Outcome:
The device transitions seamlessly from location-based DNS to DoH. The company sees the request as coming from the device’s UUID, not the office IP, and applies DoH-based policies.