Subscribe to the Non-Human & AI Identity Journal
Authentication, Authorisation & Trust

DNS Over HTTPS

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Authentication, Authorisation & Trust

A way to send DNS lookups inside encrypted HTTPS requests instead of standard DNS traffic. It improves privacy in normal use, but it also gives malware a way to hide command resolution and domain lookups from defenders who only inspect classic DNS logs.

Expanded Definition

DNS over HTTPS, or DoH, is a transport method for DNS queries that wraps name resolution inside standard HTTPS traffic. In NHI environments, that matters because service accounts, agents, and automation pipelines often resolve APIs, callback domains, package hosts, and identity endpoints continuously. DoH can reduce passive interception and make DNS traffic harder to profile, but the same property also reduces the visibility defenders rely on for domain-based detection.

Definitions vary across vendors on whether DoH is a privacy control, an evasion channel, or both. From an NHI governance perspective, the practical question is not whether DoH is allowed in theory, but whether it is approved, logged, and bounded by policy. NIST guidance on detection and response emphasizes monitoring that preserves investigative value, and the NIST Cybersecurity Framework 2.0 reinforces the need for visibility and anomaly handling across network activity. The most common misapplication is allowing unmanaged DoH use by agents and workloads, which occurs when teams whitelist encrypted web traffic without separately governing resolver destinations or telemetry retention.

Examples and Use Cases

Implementing DoH rigorously often introduces a visibility tradeoff, requiring organisations to weigh user privacy and transport encryption against the loss of straightforward DNS logging and filtering.

  • An agent running in CI/CD resolves package repositories through a corporate-approved DoH resolver so lookups remain encrypted while still being attributable.
  • A security team blocks arbitrary DoH endpoints but allows a small list of sanctioned resolvers, reducing the chance that malware can hide command resolution.
  • A cloud workload uses DoH to protect DNS queries across shared networks, while the organization preserves flow logs and resolver audit trails for incident review.
  • A defender investigates suspicious outbound HTTPS sessions that mask repeated lookups to newly registered domains, a pattern often associated with covert C2 behavior.
  • An NHI governance team references the Ultimate Guide to NHIs when defining which service accounts may use encrypted resolution and which must remain on monitored resolvers.

Operationally, DoH is best treated as a controlled network capability, not a default right for every workload. It should be paired with resolver allowlists, endpoint policy, and detective controls that can distinguish legitimate encrypted lookup behavior from concealment. The broader Ultimate Guide to NHIs is useful here because DNS control is only one part of managing service-account visibility, rotation, and offboarding.

Why It Matters in NHI Security

DoH becomes an NHI issue when defenders lose sight of how machine identities discover dependencies and external services. That loss of visibility can hide credential exfiltration, command-and-control lookups, and policy violations inside ordinary encrypted web traffic. Because NHI abuse often starts with quiet reconnaissance rather than obvious authentication failure, encrypted DNS can delay detection long enough for an attacker to move from foothold to persistence.

NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, and that gap is especially dangerous when name resolution is opaque. If a compromised agent can reach arbitrary resolvers, the organisation may not notice until unusual outbound patterns or downstream service abuse appear. This is why DNS policy must sit alongside identity governance, not outside it. The most important point is that DNS over HTTPS is rarely investigated first in a healthy environment; organisations typically encounter it as a complicating factor only after suspicious agent behavior, at which point it becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Encrypted DNS can obscure NHI command resolution and domain control paths.
NIST CSF 2.0DE.CM-1DoH affects monitoring of network activity and detection of suspicious resolution patterns.
NIST Zero Trust (SP 800-207)SC-7Zero Trust requires controlled egress paths, including name-resolution channels.
NIST AI RMFAI systems and agents need traceable network behavior to manage operational risk.
OWASP Agentic AI Top 10A3Agentic systems can misuse encrypted channels to hide tool access and outbound discovery.

Preserve DNS visibility through approved resolvers and correlate HTTPS traffic with workload identity.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org