DNS-over-HTTPS (DoH) encrypts DNS queries within the HTTPS protocol (port 443). This prevents third parties — including your internet provider — from seeing which domains you look up.
DoH significantly improves privacy but poses challenges for enterprise security: traditional DNS-based filtering and monitoring tools cannot inspect encrypted DNS queries. Many organizations therefore configure internal DoH resolvers or block external DoH traffic via firewall policy. The alternative, DNS-over-TLS (DoT, port 853), provides the same encryption protection but is easier to filter.