Encrypted DNS Detection
This page provides information on the Encrypted DNS Detection in Netify's Network Intelligence Engine. To learn more about our full suite of intelligence drivers, see our intelligence capabilities page.
Risk Overview
While DoT, DoH, and DoQ are effective tools for securing DNS traffic against eavesdropping, they create a blind spot for security infrastructure. By tunneling DNS requests through TLS, HTTPS, or QUIC, these protocols can undermine internal access controls and make it difficult for organizations to manage cybersecurity risk.
Indicator Drivers
DoH Scanner Driver
The DoH scanner indicator driver provides a dynamic defense layer by automatically detecting new or hidden DoH servers in real-time. This driver uses advanced behavioral analysis to identify the unique fingerprint of DoH traffic. This proactive approach is critical for blocking private DoH proxies, home-grown resolvers, and malware-driven command-and-control (C2) channels.
- Tag
- doh_scanner
- Score
- Medium Risk - 30
- Version
- 1.2.1
DoH/DoQ Server Driver
The DoH/DoQ server indicator driver utilizes a curated list of well-known DNS-over-HTTPS (DoH) and DNS-over-QUIC (DoQ) servers to prevent users or malware from bypassing local security policies.
- Tag
- dox_server
- Score
- Medium Risk - 30
- Version
- 1.2.0