DNSSecurity

How to block DoH with BlueCat’s threat feed option

The use of DNS over HTTPS (DoH) is surging. That’s bad news for security admins. If you’re looking to block DOH, BlueCat’s threat feed makes it easy.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Rusted metal barrier along a dirt road, illustrating blocking or filtering DNS over HTTPS traffic
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains how DNS over HTTPS (DoH) usage surged during the pandemic—BlueCat observed a 1,500% increase in DoH domain queries across its customer base—and describes operational impact and mitigation steps for enterprises. Because DoH encrypts DNS queries it eliminates visibility for network and security administrators, so organizations using centralized DNS management can block DoH by adding known DoH resolvers to a response policy zone (RPZ) or by enabling BlueCat’s dedicated DoH threat feed. The piece details step-by-step deployment instructions for enabling the BlueCat Threat Protection DoH Public Servers feed in DNS Integrity (Address Manager) and DNS Edge, and notes BlueCat will maintain the feed as new DoH resolvers appear.

Why should an enterprise block DNS over HTTPS (DoH)?

Enterprises should consider blocking DoH because it encrypts DNS queries and therefore eliminates visibility for network and security administrators. That loss of visibility can interfere with monitoring, threat detection, policy enforcement, and overall network protection. The article highlights that DoH usage spiked during the pandemic—BlueCat saw a 1,500% increase in DoH domain queries—so the operational impact is real and widespread; blocking DoH via centralized DNS management helps maintain control and visibility across the corporate environment.

How do I enable the BlueCat DoH threat feed in DNS Integrity (Address Manager)?

To enable the BlueCat DoH threat feed in DNS Integrity, log into BlueCat Address Manager and select the DNS tab, ensuring the page is the configuration information view. Under DNS Views choose a DNS View and open the Response Policy Zones sub-tab. Click New and select Response Policy Zone, then under General add the RPZ name. For Type, select the “BlueCat Threat Protection DoH Public Servers” option and set any other deployment parameters you want. Finally click Update to apply the response policy zone with the DoH threat feed.

How do I enable the BlueCat DoH threat feed in DNS Edge and how is the feed maintained?

In DNS Edge, log into the DNS Edge user interface and select Policies from the top navigation bar. Choose an existing policy that uses the BlueCat Threat Protection domain list and click Edit. Within that policy select the BlueCat Threat Protection DoH Public Servers option, then click Save and Apply to enable the feed. The article notes BlueCat actively monitors for new DoH resolvers and adds them to the threat feed so enterprises remain protected as DoH usage evolves; additional details and technical notes are available via BlueCat’s care portal and an informational webinar.

DNS over HTTPS (DoH) is a method of encrypting DNS queries that has gained a lot of traction recently. In February 2020, DoH was added as a default setting in the Firefox browser.

Now ordinary users are jumping on the bandwagon. When the pandemic left everyone working from home, BlueCat noticed a 1,500% increase in DoH domain queries across its customer base. That dramatic surge in DoH usage continues to this day.

Opinions vary on the benefits of DoH, but one thing’s for sure: It reduces the visibility of network and security administrators to zero. If you’re charged with protecting a corporate network, you’re probably going to want to prevent users from accessing DoH services across the enterprise.

If you’re using a centralized DNS management platform like BlueCat, it’s easy to block DoH by adding known DoH resolvers to a response policy zone (RPZ). The longer-term challenge is adding any new DoH services that appear in the future to that block list.

BlueCat has made it easy by creating a new threat feed specifically for known DoH resolvers. BlueCat has long used threat feeds to bolster defense-in-depth. To disable DoH across the enterprise, all you have to do is enable this threat feed for DoH in either DNS Edge or DNS Integrity, and you’ll be all set. 

How to deploy the DoH threat feed in DNS Integrity

  1. Log into BlueCat Address Manager.
  2. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you’re on the configuration information page.
  3. Under DNS Views, click a DNS View and then the Response Policy Zones sub-tab.
  4. Under Response Policy Zones, click New and select Response Policy Zone.
  5. Under General, add the name of the response policy zone.
  6. Under Type, select the “BlueCat Threat Protection DoH Public Servers” option and apply other deployment parameters as desired.
  7. Click update.

How to deploy the DoH threat feed in DNS Edge

  1. Log into the DNS Edge user interface.
  2. In the top navigation bar, select Policies.
  3. Select an existing policy that uses the BlueCat Threat Protection domain list, and click Edit.
  4. Select the BlueCat Threat Protection DoH Public Servers option.
  5. Click save and apply.

BlueCat is keeping an eye out for any new DoH resolvers and adding them to the threat feed. As a result, you’re covered even as DoH usage evolves.

Our care portal contains more information about DoH threat feed options, including detailed technical notes. You can also learn more about the pros and cons of DoH in a webinar with BlueCat’s Chief Strategy Officer Andrew Wertkin.

Published in:

DNSSecurity

Published on: April 30, 2020

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more