Browsers use DoH, IT wants to know what it means for monitoring and filtering
DNS over HTTPS hides DNS queries inside HTTPS traffic to an external resolver. Good for privacy on the road, but it bypasses your on-prem DNS filter (Pi-hole, NextDNS, AD policies) and makes incident response harder when you cannot see what a host asks.
Try this first
- 1Inventory where DoH is already active: Chrome, Firefox, Edge and Windows 11 sometimes ship it on by default, sometimes behind a flag.
- 2In an office with AD: push group policy 'Configure DNS over HTTPS' to Off for managed devices, and route them through your internal resolver.
- 3For laptops off-network: pick one approved DoH resolver (NextDNS, Cloudflare for Teams) so you have policies and logs.
- 4Block unknown DoH endpoints at the firewall via DNS-resolver blocklists, so clients cannot quietly use any resolver.
- 5Communicate the reasoning to users: this is not privacy-hostile, it is required for security monitoring and compliance.
When to bring us in
If you want a DoH strategy that works at the office and on the road without blinding IT, we can deploy NextDNS or similar.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.