AboutTermsPrivacyContact
 
Updating
Technically U

Technically U

Released: 2026-06-20
© Technically U
Technically U - QR Code
259 Episodes
Audio
Listen on Apple Podcasts
259 Episodes
Audio
Listen on Apple Podcasts
Released: 2026-06-20
© Technically U
Most Recent Episode
The DNS Encryption War: Why Privacy Tools and Security Teams Are Fighting Over DoH

The DNS Encryption War: Why Privacy Tools and Security Teams Are Fighting Over DoH

DNS over HTTPS (DoH) encrypts the internet's phonebook—and it's breaking traditional network security. Here's what IT professionals need to know about DoH in 2026, why enterprises are concerned, and how to adapt.🔐 WHAT IS DNS OVER HTTPS:THE PROBL
Time: 28:23
DNS over HTTPS (DoH) encrypts the internet's phonebook—and it's breaking traditional network security. Here's what IT professionals need to know about DoH in 2026, why enterprises are concerned, and how to adapt.🔐 WHAT IS DNS OVER HTTPS:THE PROBLEM DoH SOLVES:- Traditional DNS = plaintext on port 53 (unencrypted since 1983)- ISPs, network operators, anyone on WiFi can see every domain you visit- DNS queries reveal: Health research, job hunting, political views, all browsing activity- Government censorship via DNS blocking- DNS hijacking attacks on public WiFiHOW DoH WORKS:- Wraps DNS queries inside HTTPS connections (port 443)- Encrypted with TLS (same as secure websites)- Network observers see encrypted HTTPS traffic, can't tell it's DNS- RFC 8484 standard (2018)DoH vs DoT (DNS over TLS):- DoT: Dedicated port 853, easier for networks to identify/block- DoH: Port 443 (standard HTTPS), indistinguishable from web traffic- Both: Same encryption strength (TLS)- DoH: Better privacy, harder to block- DoT: Easier for enterprises to monitor/control⚠️ WHY ENTERPRISES ARE CONCERNED:BROWSER-LEVEL DoH BYPASSES CORPORATE DNS:- Firefox enables DoH by default (85%+ US users in 2026)- Chrome auto-upgrades when available- Bypasses network security tools completelyWHAT GETS BROKEN:1. Malware blocking (can't filter queries to C2 servers)2. Content filtering (parental controls, workplace policies)3. Threat detection (can't log DNS queries to identify infections)4. Data loss prevention (can't block file-sharing, personal email)5. Incident response (DNS logs don't exist for forensics)6. Compliance (regulatory requirements to monitor traffic)REAL ATTACKS USING DoH:- Godlua DDoS worm (2019): Used DoH to hide C2 communications- ShadowPad backdoor (2024): Encrypted DNS tunneling- 87% of organizations experienced DNS attacks in 2026- Malware increasingly adopting encrypted DNS to evade detectionNSA WARNING (January 2021, still relevant 2026):"Enterprises should avoid external DoH resolvers. Deploy internal DoH/DoT resolvers and block external endpoints."🛠️ HOW ENTERPRISES ARE ADAPTING:SOLUTION 1: Deploy Internal DoH/DoT Resolvers- Windows Server 2025: DoH support added February 2026- Run corporate DoH server with threat intelligence/filtering- Configure devices via MDM/group policy- Result: Encrypted DNS + enterprise security controlsSOLUTION 2: Block External DoH Providers- Block Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9, etc.- Configure browser enterprise policies to disable DoH- Challenge: 931+ active DoH resolvers globally (can't block all)SOLUTION 3: Firefox Canary Domains- Firefox checks "use-application-dns.net" before enabling DoH- Corporate DNS returns specific response = Firefox disables DoH- Limitation: Only Firefox (Chrome doesn't use canary domains)SOLUTION 4: Roaming Client Agents- Deploy agents on devices (Cloudflare Gateway, Cisco Umbrella, DNSFilter)- Route DoH through corporate resolver- Works on BYOD and remote workers- Identity-aware policies even when encryptedSOLUTION 5: Shift to Endpoint Security- Network visibility lost → endpoint visibility gained- EDR (Endpoint Detection and Response) monitors device processes- TLS certificate monitoring, IP reputation, traffic patterns- Complement, don't replace, DNS security📊 CURRENT STATE (2026):ADOPTION RATES:- Firefox: 85%+ US users on DoH- Chrome: Auto-enabled since 2020- iOS/Android: "Private DNS" in system settings- Windows 11: DoH configuration built-in- Windows Server 2025: DoH server support (Feb 2026)JANUARY 2025 US EXECUTIVE ORDER:- Mandated DNS encryption for federal systems- Accelerated enterprise adoption- Government agencies deploying internal DoH/DoT resolvers
Episode ID: 1000773531294
GUID: 23eaf05e-e8e0-42de-94ba-ffed8d987db9
Release Date: 20/06/2026, 11:41:08

Description

One podcast keeps IT pros ahead of career-ending surprises. You're in cybersecurity, networking, or IT leadership. You know the feeling—scrambling to explain a breach, outage, or AI disruption you should have seen coming. TechnicallyU give you a 20-minute or more weekly briefing that makes you the smartest person in every meeting.
What we actually cover:
Why your MFA isn't protecting you like you think
AI tools that will replace jobs vs. ones that will save them
Cloud architecture mistakes costing companies millions
Your competitors are already listening. New episodes every Thursday

Apple Podcasts: Customer Reviews

No Entry