DNS over HTTPS (DoH) Visibility
DNS over HTTPS (DoH) is a protocol that sends DNS queries encrypted over HTTPS rather than as plaintext UDP traffic on port 53. It is supported by major browsers, operating systems, and third-party DNS clients such as ControlD and Cloudflare's 1.1.1.1 resolver.
Because DoH traffic is encrypted inside standard HTTPS sessions, it is indistinguishable from ordinary web traffic at the network layer. This creates an inherent visibility gap for endpoint detection and response (EDR) platforms, including SenseOn.
What SenseOn cannot see
When DNS resolution is performed over DoH, SenseOn is unable to:
- Record the domain name queried in the
network_dnstelemetry table. - Attribute a DoH request to the specific process that originated it.
- Surface the resolved IP address as a DNS event linked to a particular domain.
This means that if an endpoint is communicating via a DoH-capable client — such as a browser with DoH enabled, ControlD (ctrld.exe), or a similar tool — domain-level DNS activity will not appear in SenseOn's network logs, and any alerts that rely on DNS telemetry (for example, detection of typo-squatted or known-malicious domains) may not fire.
Why does this happen? Standard DNS queries travel over UDP/TCP port 53 and are visible to the OS network stack. DoH queries are encrypted inside TLS and sent over port 443 alongside normal HTTPS traffic, so there is no plaintext domain name for the sensor to intercept at the network layer.
What SenseOn can see
SenseOn retains full visibility of surrounding endpoint telemetry, which can support investigation even when DNS telemetry is absent:
- Process activity on the endpoint at the time of interest (process start/stop, parent–child relationships).
- Network connections made by each process, including destination IP addresses and ports.
- File and registry events associated with any process making outbound connections.
This means it is possible to identify which process was active and which IP addresses it connected to during a given time window, even if the domain name itself is not recorded. This approach relies on timing correlation between events rather than direct DNS visibility.
Investigation approach when DoH is in use
If you suspect a threat and DNS telemetry is absent, follow these steps in Hunt Lab:
- Identify the time window from any external alert or indicator of compromise (IoC).
- Query process activity on the affected endpoint around that time to determine which processes were running.
- Cross-reference network connections for those processes to find the destination IP addresses and ports.
- Pivot on IP addresses to look up reputation, whois data, or passive DNS records using external threat intelligence sources.
Mitigations and workarounds
DoH visibility can be restored or improved by taking action at the network or endpoint configuration level:
| Approach | Description |
|---|---|
| Disable DoH in browsers | Modern browsers (Chrome, Firefox, Edge) allow DoH to be disabled via Group Policy or browser settings. Disabling it causes DNS queries to fall back to the OS resolver, which SenseOn can observe. |
| Block DoH at the firewall | Blocking outbound traffic to known DoH resolvers (e.g. 1.1.1.1:443, 8.8.8.8:443, Cloudflare's DoH endpoint cloudflare-dns.com) forces clients to use the standard DNS path. |
| Deploy a DNS proxy or secure DNS gateway | Solutions such as Cisco Umbrella, Zscaler DNS, or similar products can intercept and log encrypted DNS traffic centrally, providing an alternative visibility source. |
| Audit installed DoH clients | Tools such as ControlD (ctrld.exe) or similar DNS-over-HTTPS clients installed by users or administrators route all DNS traffic through an encrypted channel. Auditing and controlling which DNS clients are permitted in your environment reduces the visibility gap. |
If you have questions about a specific investigation impacted by DoH, contact the SenseOn SOC via support.