DNS Security: DoH, DoT, and Hardening Your Internal DNS
Summary: The security weaknesses of the DNS protocol, the difference between DoH (DNS over HTTPS) and DoT (DNS over TLS), and a guide to hardening an SME's internal DNS.
Summary: DNS is the internet's "phone book," but by default it is an unencrypted, unauthenticated, unverified protocol. Attackers eavesdrop on DNS queries to profile user behavior, forge DNS responses to push users onto phishing sites, and use DNS tunnels to communicate between insider malware and command-and-control servers. DoH (DNS over HTTPS) and DoT (DNS over TLS) encrypt queries; internal DNS hardening, DNS filtering, and DNS query logging are the foundational defensive layers in an SME environment.
Most IT managers file DNS in the "it works, don't touch it" category. Yet a large share of modern attacks runs over DNS: ransomware coordinates with C2 servers via DNS queries, stolen data is exfiltrated through DNS tunnels, and spoofed DNS responses redirect a user from a bank page to a phishing site. When DNS security is weak, you leave open a channel that all your other defenses do not even monitor.
In this article we cover DNS security at SME scale, DoH/DoT technologies, and hardening internal DNS infrastructure. The audience is IT leads, network admins, and decision-makers looking to improve their security architecture.
What Is DNS, and Why Does It Become an Attack Vector?
DNS (Domain Name System) translates human-readable domain names (yamanlarbilisim.com.tr) into machine-readable IP addresses (e.g., 1.2.3.4). Your browser must do a DNS lookup before it can connect to a site.
The Three Core Weaknesses of Standard DNS
- Unencrypted: Plain text on UDP port 53 — anyone in path can listen
- No authentication: Where did the response come from? Cannot be verified
- No filtering: Any domain name can be queried
These weaknesses are the foundation of the attack types below.
Attacks Carried Out via DNS
| Attack | Description | Result |
|---|---|---|
| DNS Spoofing / Cache Poisoning | Forged DNS response | User is sent to the wrong IP |
| DNS Hijacking | The DNS server itself is taken over | All queries are under attacker control |
| DNS Tunneling | Data hidden inside DNS queries/responses | Data exfiltration, C2 communication |
| DNS Amplification | Used for DDoS | Your organization becomes a tool to attack others |
| Subdomain Enumeration | Sweeping for subdomains | Attack-surface discovery |
| Typosquatting | Redirect to a look-alike domain | Phishing |
DoH and DoT: Encrypting DNS
DoH (DNS over HTTPS) and DoT (DNS over TLS) carry DNS queries over an encrypted channel.
DoH — DNS over HTTPS
- Port: 443 (same as HTTPS)
- Protocol: DNS inside HTTPS
- Advantage: Blends in with HTTPS traffic — corporate filters cannot easily distinguish it
- Disadvantage: Bypasses the organization's internal DNS policy
DoT — DNS over TLS
- Port: 853 (dedicated)
- Protocol: DNS inside TLS
- Advantage: Clearly DNS traffic, allowing corporate control
- Disadvantage: Browser/OS support is more limited
Which Scenario, Which Protocol?
| User | Choice |
|---|---|
| Personal user (privacy) | DoH (Cloudflare, Quad9, Google) |
| End user inside a corporate environment | DoT (to the corporate DNS server) |
| Corporate DNS server | DoT (toward an upstream resolver) |
| Mobile app privacy | DoH (in-app) |
An Important Warning for SMEs
Modern browsers (Chrome, Firefox, Edge) may default to opening DoH directly to their own resolvers. When that happens, the organization's internal DNS filter (malicious-domain blocking, category filtering) is bypassed. The fix:
- Use browser policies to redirect or disable DoH to the corporate server
- Make the corporate DNS DoH/DoT-capable — the user still uses the corporate DNS but encrypted
- Detect and block DoH traffic at the network level (with a competent firewall)
Hardening Internal DNS Infrastructure
The SME's internal DNS server is the first stop for every device on the network. Hardening it is critical.
1. Choosing the DNS Server
Common options:
- AD-integrated DNS: Runs on Windows Server, integrated with AD (common in SMEs)
- Bind9: Linux, open source, the most widely deployed internet DNS software
- Unbound: New-generation resolver, performant, strict defaults
- dnsmasq: Small scale, easy
- Pi-hole: Open source, focused on ad/malicious-domain blocking
2. Query Filtering — DNS Filter
Blocking malicious domains at the DNS layer:
- Cisco Umbrella (formerly OpenDNS): Cloud-based, category filtering
- Quad9: Free DNS with integrated threat intelligence (9.9.9.9)
- Cloudflare for Families: Family-protection focused (1.1.1.2)
- NextDNS: Configurable, reasonable pricing for SMEs
- AdGuard DNS Home: Ad/tracker blocking
Your internal DNS server can use one of these services as an upstream resolver.
3. DNSSEC
DNSSEC (DNS Security Extensions) digitally signs DNS responses — verifying the answer truly came from the authoritative server. It is a foundational defense against cache-poisoning attacks. On the SME side, it is usually enabled at the resolver level; as a domain owner, signing your own zone with DNSSEC adds another protective layer.
4. Query Logging
All DNS queries should be recorded:
- Which device queried which domain, and when
- Anomalous queries (random-looking subdomains — a DNS tunnel signal)
- Hourly reports, yearly archive
- SIEM integration (if available)
5. Rate Limiting
If one device is sending 1,000+ DNS queries per minute, malware running a DGA (Domain Generation Algorithm) is the likely culprit. Rate limiting protects normal traffic and catches the anomaly.
Detecting DNS Tunnels
A DNS tunnel is when an attacker hides data inside DNS queries/responses to reach the outside world. It is the attacker's favorite because it is a channel firewalls usually do not see.
Indicators
- Very long or random-looking domain queries (e.g.,
aXjK29p3LqMnB7vR.evil.com) - High-volume, continuous queries to the same domain
- TXT and NULL record queries (not normal DNS traffic)
- Tens of distinct subdomain queries per minute from the same device
Detection Solutions
- DNS log + SIEM: Anomaly rules are written on the data
- NDR tools: Network Detection & Response performs DNS behavioral detection
- Cisco Umbrella, Cloudflare Gateway: Cloud DNS filters with built-in DGA/tunnel detection
- Open source: Manual analysis with dnstap + Zeek (formerly Bro)
Split-Horizon DNS
In some SMEs, the same domain (e.g., intranet.firma.com) must resolve to a different IP internally than externally.
Classic Split DNS Scenario
- From the internal network:
vpn.firma.com→ 10.0.0.5 (internal IP) - From the internet:
vpn.firma.com→ 1.2.3.4 (NAT IP)
The internal DNS server is authoritative for its own zone; external DNS sees a different view. This pattern hides the internal infrastructure from the outside — internal IPs never leak to the internet.
Pinning Employee Devices to the Internal DNS
Employees should not be able to set their own DNS (e.g., 8.8.8.8) by hand; they must use the internal DNS.
Enforcement Methods
- DHCP: The internal DNS server's IP is handed out by DHCP (the most common method)
- GPO / configuration profile: Forced DNS settings on domain-joined devices
- Firewall rule: Outbound port 53/853 traffic allowed only from the internal DNS
- DoH blocking: Known DoH endpoints are blocked at the firewall
Without this enforcement, an employee's device can bypass the malicious-domain filter.
Common Mistakes
The same errors repeat across organizations:
- The DNS server's default password is unchanged
- Query logging is off; anomalies are never seen
- The DNS server is unpatched (BIND vulnerabilities ship every year)
- Employee devices can connect to any DNS — bypassing filters is trivial
- DNSSEC is off, leaving cache poisoning unaddressed
- The DNS server allows open recursion to the internet (an amplification-attack vector)
- No plan for blocking/redirecting DoH and DoT
What Yamanlar Bilişim Offers
DNS hardening support at SME scale:
- Audit of existing DNS infrastructure and risk assessment
- Internal DNS server deployment (Bind9, Unbound, AD DNS)
- DNS filtering integration (Quad9, Umbrella, NextDNS)
- DNSSEC enablement
- DoH/DoT-aware solutions
- DNS query logging and SIEM integration
- DNS tunnel detection rules
- Annual DNS health review
Frequently Asked Questions
Conclusion
When DNS is dismissed with the "it always works" assumption, it becomes one of the attackers' favorite channels. Combine DoH/DoT encryption, internal DNS hardening, category filtering, and query logging, and DNS becomes a foundational layer of defense in depth for an SME. A meaningful share of modern attacks — ransomware C2, data exfiltration, phishing redirects — can be caught here.
At Yamanlar Bilişim, we deliver DNS hardening designs, filtering integration, and continuous-monitoring strategies sized for SMEs — keeping your "phone book" in your control, not the attacker's.
Frequently Asked Questions
Which DNS server software should I pick as an SME?
If you use Active Directory, Windows Server DNS is the natural choice. If you do not, on Linux Unbound (strict defaults, performant) or Bind9 (most widely used, plenty of documentation) is recommended. Pi-hole works nicely as an additional layer for ad/tracker blocking in simple offices.
Should I disable DoH in the browser or leave it on?
In a corporate environment, DoH pointed at the corporation is ideal: the browser uses DoH but the queries go to the internal DNS, where the corporate filter is applied. The browser default (sending queries to Cloudflare or Google) bypasses the corporate filter — that should be restricted. It can be configured for Chrome, Firefox, and Edge at the policy level.
Cisco Umbrella, Quad9, NextDNS — which is best for an SME?
It depends on budget and needs: Quad9 is free, basic threat intelligence; Cisco Umbrella offers comprehensive category filtering + reporting at a higher price; NextDNS is affordable with flexible configuration. For a small SME, NextDNS or Quad9 are good starting points; mid-to-large SMEs can move up to Umbrella.
Do I need to buy extra tooling to detect DNS tunnels?
Not strictly; regularly analyzing your internal DNS logs (manually or with a simple script) catches most DNS tunneling cases. Look for anomalous query patterns: very long subdomains, high volume, TXT queries. For automated detection, NDR solutions or detection built into a cloud DNS filter is used.
Does DNSSEC really make a difference in practice?
DNSSEC matters against cache poisoning, but is not enough on its own. If the user's resolver does not validate DNSSEC, signed responses are meaningless. On the SME side: have your internal resolver perform DNSSEC validation, and sign your own domain with DNSSEC (enabled at the registrar). The benefit is modest but not zero — recommended as part of defense in depth.
How do you manage DNS security for employees working from home over VPN?
After the VPN connects, the device's DNS should be steered back to the corporation (full tunnel, or split tunnel + DNS redirection). Otherwise, the home device uses the home DNS or the ISP DNS, and the corporate filter is bypassed. Modern VPN clients (Cisco AnyConnect, FortiClient, OpenVPN) expose this routing as a configurable option.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Cybersecurity solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Insider Threat: Detection in SMEs
What insider threat is, how it's detected in SMEs, and the scenarios of leaving employees, negligence, and deliberate malice.
NDR (Network Detection & Response): Do SMEs Need It?
What Network Detection & Response (NDR) is, how it differs from EDR and SIEM, whether it's needed at SME scale, and how to evaluate solutions.
Web Filtering and URL Control: A Policy for the SME Office
Designing a web-filtering policy for the SME office — URL category management, the productivity-vs-security balance, and KVKK alignment.