DNS Over HTTPS and DoT Legacy TLD vs New gTLD Implications

The implementation of DNS over HTTPS and DNS over TLS has introduced significant changes to how domain name system queries are handled, encrypted, and secured across the internet. These protocols were designed to enhance user privacy by encrypting DNS traffic, preventing network-level interference, and reducing the risk of DNS-based attacks such as man-in-the-middle interception and spoofing. While these advancements offer security benefits, they also introduce operational and policy challenges for both legacy top-level domains such as com, net, and org and the newer generic top-level domains that emerged under ICANN’s expansion program. The implications of DoH and DoT differ between these two categories, largely due to differences in their infrastructure, regulatory considerations, and relationships with internet service providers, enterprises, and cybersecurity organizations.

Legacy TLDs operate some of the most extensive DNS infrastructures in the world, processing billions of queries daily through globally distributed authoritative name servers. Because these registries were established long before encrypted DNS became a widely discussed security enhancement, their architectures were initially designed around traditional DNS protocols that rely on unencrypted UDP or TCP transport. Over the years, legacy TLD operators have implemented security enhancements such as DNSSEC to provide cryptographic integrity for DNS responses, but the actual transmission of queries between clients, resolvers, and authoritative servers remained largely unencrypted. The introduction of DoH and DoT has required legacy TLD registries to assess how these encryption protocols impact query resolution performance, compliance with existing security monitoring policies, and overall system stability.

One of the primary concerns for legacy TLD operators regarding DoH and DoT is the shift in DNS resolution control. Historically, DNS queries were processed through a hierarchy where ISPs, enterprises, and security providers had visibility into DNS traffic, allowing them to filter, analyze, and enforce network policies. With DoH in particular, DNS queries are encrypted within HTTPS requests, preventing third parties, including ISPs and network administrators, from intercepting or modifying queries. This has raised concerns among legacy TLD operators who rely on DNS visibility for mitigating abuse, tracking query trends, and ensuring compliance with national and industry regulations. The widespread adoption of DoH has the potential to disrupt existing security monitoring practices, making it more difficult for registries, ISPs, and cybersecurity firms to identify malicious domain activity, detect botnet command and control traffic, and enforce parental control or enterprise security policies.

New gTLDs, benefiting from launching in an era where encrypted DNS was an emerging topic, have had more flexibility in designing their infrastructures to accommodate DoH and DoT integration. Many new gTLD registries have partnered with cloud-based DNS providers and security services that natively support encrypted DNS, allowing them to build their ecosystems with DoH and DoT compatibility in mind. Because new gTLDs operate in a more competitive market where adoption depends on security and performance, many have positioned themselves as early adopters of encrypted DNS protocols, promoting privacy-focused features to attract users concerned about censorship, surveillance, and data manipulation. Some new gTLD registries actively encourage the use of DoH and DoT to differentiate themselves from legacy registries that have traditionally operated under more centralized policy frameworks.

Performance optimization is another area where legacy and new gTLD registries experience different implications of DoH and DoT adoption. Legacy TLDs, managing some of the highest query volumes on the internet, must ensure that encrypted DNS queries do not introduce additional latency or degrade resolution efficiency. Traditional DNS operates over UDP, allowing for low-latency query resolution, whereas DoH, being HTTP-based, introduces additional overhead due to TCP handshakes, HTTPS encryption, and the potential for increased congestion at centralized DoH resolvers. Legacy TLD operators have had to assess whether large-scale DoH adoption could lead to bottlenecks in recursive resolver performance, increased load on authoritative name servers, or unintended traffic routing shifts that affect global query distribution.

New gTLDs, many of which operate on cloud-based infrastructure, have taken advantage of global load balancing and traffic optimization strategies to ensure that DoH and DoT queries are handled efficiently. Some new gTLD registries work closely with major DoH resolver providers such as Cloudflare, Google, and Quad9 to optimize query routing, ensuring that encrypted DNS traffic is processed with minimal latency. Additionally, because many new gTLDs operate at smaller scales compared to legacy registries, they have greater flexibility in implementing DoH and DoT policies without the risk of overwhelming their infrastructure.

Security and abuse mitigation are significant factors in the adoption of DoH and DoT for both legacy and new gTLDs. Legacy TLD registries have traditionally relied on DNS traffic analysis to detect malicious activity, block harmful domains, and enforce security policies. With DoH encrypting DNS traffic, legacy registries face the challenge of reduced visibility into query patterns, potentially allowing malicious actors to evade detection. This has raised concerns about DoH being used to bypass network-based security controls, enabling attackers to conceal communications with malicious domains and preventing enterprises from enforcing DNS-based security policies. Some legacy TLD operators have explored alternative methods of maintaining security visibility, such as encouraging the adoption of DNSSEC alongside DoH to ensure domain authenticity or working with cybersecurity firms to develop encrypted DNS monitoring solutions that balance privacy with security enforcement.

New gTLD registries, having been designed with modern security frameworks, have integrated automated threat intelligence systems that do not solely rely on traditional DNS visibility. Many use real-time domain reputation scoring, AI-driven abuse detection, and API-based security monitoring to track malicious activity even in environments where DoH and DoT are widely deployed. Some new gTLDs have positioned themselves as privacy-first alternatives, actively promoting the use of encrypted DNS while implementing abuse mitigation measures that rely on alternative security models. However, new gTLDs must also address the risk that DoH and DoT could facilitate domain abuse by allowing cybercriminals to register and use domains without being detected by traditional DNS-based monitoring systems.

Another key consideration in the adoption of DoH and DoT for both legacy and new gTLDs is regulatory compliance. Legacy TLDs operate under long-established legal frameworks that require registries to cooperate with law enforcement, government agencies, and industry regulators in monitoring domain activity. The adoption of encrypted DNS introduces potential conflicts between privacy protections and legal obligations, particularly in jurisdictions with strict requirements for data retention, content filtering, or cybersecurity oversight. Legacy TLD operators must navigate these challenges while ensuring that they remain compliant with ICANN policies, national laws, and global cybersecurity standards.

New gTLDs, many of which were launched with specific market segments in mind, must also consider how DoH and DoT adoption impacts their compliance requirements. Some new gTLDs, particularly those operating in regulated industries or geographic regions with strict cybersecurity laws, may need to implement DNS policies that allow for controlled DoH and DoT deployment while ensuring that they can comply with legal inquiries and security mandates. Other new gTLDs, particularly those positioned as privacy-centric alternatives, may take a more aggressive approach in promoting encrypted DNS while advocating for policy changes that balance security with user privacy.

The widespread adoption of DoH and DoT is reshaping how both legacy and new gTLD registries manage DNS security, privacy, and performance. Legacy TLDs face challenges in adapting to an environment where traditional DNS visibility is reduced, requiring them to explore alternative security enforcement mechanisms and infrastructure optimizations. New gTLDs, benefiting from modern infrastructure and flexible security models, have greater agility in adopting encrypted DNS while addressing potential abuse concerns. As DoH and DoT continue to gain adoption, both legacy and new gTLD operators must refine their policies, technical implementations, and security strategies to balance the evolving landscape of internet privacy and security while ensuring the continued reliability of the global domain name system.

The implementation of DNS over HTTPS and DNS over TLS has introduced significant changes to how domain name system queries are handled, encrypted, and secured across the internet. These protocols were designed to enhance user privacy by encrypting DNS traffic, preventing network-level interference, and reducing the risk of DNS-based attacks such as man-in-the-middle interception and…