This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Introducing DNS over HTTPS (DoH) Support in Advanced DNS Security Resolver (ADNSR)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
4 min read

Introducing DNS over HTTPS (DoH) Support in Advanced DNS Security Resolver (ADNSR)

gpokuri
L2 Linker
‎11-13-2025 01:28 AM

gpokuri_0-1763025838359.png

 

By: @gpokuri 

 

We're thrilled to announce a major enhancement to our Advanced DNS Security Resolver (ADNSR). We now support DNS over HTTPS (DoH). With DoH, all DNS traffic is fully encrypted, preventing malicious actors and external parties from viewing or modifying your critical user DNS traffic. 

 

Securing the Internet's Vulnerable Backbone

 

The Domain Name System (DNS), the Internet's naming system, is constantly targeted for abuse. DNS is exploited across many stages of the attack lifecycle. From initial access and command-and-control to data exfiltration, DNS plays a critical role. In fact, Unit 42 research shows that over 85% of malware utilizes DNS for command-and-control (C2) precisely because it is a reliable, stealthy, and universally trusted protocol that is often left uninspected. 

In today's sophisticated threat landscape, the fundamental design flaws of traditional DNS over User Datagram Protocol (UDP) present an unacceptable limitation: queries are sent in plaintext, leaving your enterprise network vulnerable to eavesdropping and manipulation. This traditional DNS approach leaves enterprise networks susceptible to interception.

To counter this persistent threat and ensure high network privacy, our Advanced DNS Security Resolver (ADNSR) now integrates DNS over HTTPS (DoH) query processing. This is more than just adopting a new protocol; it's a necessary security evolution that lets you analyze and categorize the DNS payload contained within encrypted traffic.

 

What This Means for You:

 

This feature combines the best of both worlds: strong encryption and ADNS Security, powered by Precision AI.

 

Enhanced Security through Encryption

  • Protocol Overview: DoH is a security protocol that encrypts Domain Name System (DNS) queries over an HTTPS connection.
  • Protection:  Encrypting all DNS resolution helps DoH protect your sensitive traffic from interception and modification by malicious actors and external parties. This is a direct defense against critical vulnerabilities present in traditional plaintext DNS systems.

 

Uncompromised Real-Time Security and Visibility

  • Encrypted Payload Analysis: A key capability of  ADNSR is its ability to analyze and categorize the DNS payloads contained within the encrypted DNS traffic requests.
  • Real-Time Threat Prevention: This ensures you get complete visibility and consistent protection against advanced, sophisticated DNS threats, even as enterprises shift to multi-cloud, widespread branch deployments, and remote workforces. The ADNSR leverages Precision AI to inspect both DNS requests and responses in real-time, proactively preventing sophisticated threats such as DNS hijacking and DNS Tunneling.

 

Technical Specifications

 

Our DoH implementation adheres to strict RFC standards, ensuring seamless integration into your security architecture.

 

Service Endpoint and Access

 

 

  • Dedicated URL: The service operates through a dedicated domain, ensuring a consistent and controlled access point: 
  • Authentication: For campus/branch environments connecting directly, user authentication is handled via source IP validation, which requires the network to be registered as a connection source in Strata Cloud Manager.

 

Compatibility and Formats

 

 

  • Protocols: The system supports both HTTP/1.1 and HTTP/2 traffic, utilizing appropriate ALPN (Application-Layer Protocol Negotiation) advertising.
  • Query Methods & Formats: Clients can send DNS queries using either GET or POST methods in two standardized formats: binary and JSON.

 

Getting Started is Simple

Deployment for your registered campus/branch connection sources is a straightforward process managed through Strata Cloud Manager (SCM).

  1. Enable and Scope: Enable your Advanced DNS Security Resolver and ensure all clients in the branch/campus networks are included when defining your connection sources.
  2. Retrieve URL: Retrieve the DoH URL from the DNS Resolver Info window in Strata Cloud Manager: https://edge-dns.service.paloaltonetworks.com/dns-query.
  3. Update Client: Update your DNS client device to use this DOH URL for all DNS queries.

 

The integration of DoH support into the Advanced DNS Security Resolver is a crucial step in securing the vulnerable backbone of the internet for modern, distributed enterprises. By allowing you to enforce DNS encryption without sacrificing security analysis, we empower you to deliver consistent, real-time, AI-powered protection across all your environments. This new capability ensures your users benefit from enhanced privacy while maintaining our high-fidelity threat prevention against sophisticated DNS-layer attacks. 

 

For more information on how Advanced DNS Security Resolver with DNS over HTTPS (DoH) strengthens your organization’s DNS layer defense, visit the Advanced DNS Security page or contact a Palo Alto Networks representative. Learn how you can deliver end-to-end encrypted DNS visibility, advanced threat prevention, and AI-powered protection, all managed seamlessly through Strata Cloud Manager.

 

  • 721 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels
Contributors
Popular Blogs
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks