DNS over HTTPS (DoH) encrypts DNS queries inside HTTPS connections, bypassing standard firewall inspection. This topic describes the security risks DoH introduces in enterprise environments and how to block DoH traffic using Cloud Firewall's built-in Intrusion Prevention System (IPS) rules.
Security risks of uncontrolled DoH
When DoH is active, DNS queries travel inside encrypted HTTPS connections. Firewalls that rely on inspecting plain DNS traffic cannot see or enforce policies on those queries. This creates two concrete risks:
-
Unauthorized access by employees
Employees can route DNS queries through encrypted DoH channels, bypassing your access control policies and threat intelligence rules. Domain names your organization has explicitly blocked remain accessible through this path.
-
Malware communication
Worms and trojans can use DoH to query the originating IP addresses of domain names. Because these queries are encrypted, they evade IPS rules, access control policies, and threat intelligence rules—making malware harder to detect and contain.
Block DoH traffic
Cloud Firewall includes built-in IPS rules that detect DoH traffic. These rules run in Monitor mode by default, which logs matches without blocking them. Switch the rules to Block mode to actively drop DoH traffic.
Prerequisites
Before you begin, make sure you have:
Access to the Cloud Firewall console
Permissions to modify IPS configuration rules
Configure IPS rules to block DoH
Log in to the Cloud Firewall console.
In the left-side navigation pane, choose .
In the Basic Protection rule list, find the DoH-related rules. To filter quickly, select Rule Name from the search dropdown and enter DNS over HTTPS.
Change the mode of the relevant rules from Monitor to Block. You can switch individual rules or all DoH-related rules at once.
Switching a rule to Block mode causes Cloud Firewall to drop matching traffic instead of logging it. Review each rule before switching to confirm it aligns with your security policy.
Verify the result
After switching the rules to Block mode, confirm that the rule status in the list reflects the change. To verify that DoH traffic is being blocked, go to and review the traffic logs. Blocked DoH requests appear as denied entries associated with the DNS over HTTPS rules you enabled.