DNS traffic, DoH, and DoT: what IAM teams should watch

TL;DR: DNS traffic now carries both availability and security risk as encrypted resolution, blocking strategies, and misconfiguration can alter visibility and performance, according to DigiCert. For identity teams, the lesson is that network-level control and identity governance now intersect wherever DNS becomes a policy enforcement point.

NHIMG editorial — based on content published by DigiCert: What You Need to Know About DNS Traffic

By the numbers:

• In June 2025, UltraDNS processed 136 billion DNS queries daily.

Questions worth separating out

Q: How should security teams govern encrypted DNS without losing visibility?

A: Security teams should define where encrypted DNS is allowed, which resolvers are trusted, and what telemetry remains available when queries are hidden inside HTTPS or TLS.

Q: When does DNS blocking become a resilience problem instead of a control?

A: DNS blocking becomes a resilience problem when it breaks legitimate resolution paths, forces users to bypass approved resolvers, or causes applications to fail because of misconfiguration.

Q: What do organisations get wrong about DNS load balancing?

A: They often treat load balancing as a routing optimisation only, then miss its role in service continuity.

Practitioner guidance

• Map encrypted DNS policy by environment Separate corporate endpoints, managed workloads, and guest networks so each zone has an explicit rule for DoH and DoT.
• Review resolver dependencies before changing blocking rules Test whether internal applications, security tools, and remote users depend on specific resolvers before enforcing inspection or NXDOMAIN-based blocking.
• Tune TTLs and failover paths together Use caching to reduce lookup load, but verify that TTL values do not slow recovery when authoritative records change.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step DNS traffic management guidance for performance, availability, and policy enforcement.
• Practical comparisons of DoH, DoT, caching, and DNS load balancing in operational environments.
• Examples of how resolver choices affect latency, inspection, and control in mixed networks.
• Troubleshooting detail for misconfiguration, blocking, and legacy compatibility scenarios.

👉 Read DigiCert's guide to DNS traffic, encrypted resolution, and blocking →

DNS traffic, DoH, and DoT: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →