DNS over HTTPS and TLD Governance: Collision or Cooperation

The emergence of DNS over HTTPS, commonly abbreviated as DoH, represents a significant evolution in the way DNS queries are transmitted across the internet. Originally designed to improve user privacy and security, DoH encrypts DNS queries and responses between clients and resolvers by sending them over HTTPS, the same protocol used for securing web traffic. While this approach can prevent third-party eavesdropping and mitigate manipulation of DNS traffic by intermediaries such as ISPs or public Wi-Fi operators, it has also introduced new complexities and tensions within the ecosystem of top-level domain (TLD) governance. The question now facing the internet governance community is whether DoH presents an unavoidable collision with established DNS management frameworks or whether it opens a pathway for greater cooperation among technical operators, policy authorities, and service providers.

Under the traditional DNS model, queries are sent in plaintext from user devices to recursive resolvers, often operated by internet service providers or specialized DNS services. These queries pass through a series of DNS servers until they reach the authoritative server for the relevant TLD and ultimately the authoritative server for the domain in question. This architecture, while functional and scalable, has long raised concerns about privacy and surveillance. Queries can reveal user behavior patterns, browsing history, and even sensitive intent before a secure session is established. The deployment of DoH, led initially by browser vendors such as Mozilla and Google, was intended to counteract these vulnerabilities by encrypting DNS traffic between client software (like a web browser) and a trusted resolver.

This architectural shift, however, bypasses the local DNS resolution paths typically governed by ISPs, enterprise networks, and national infrastructure operators, potentially disrupting established models of TLD oversight and control. In traditional settings, TLD registries and their partners could work closely with local network providers and national governments to ensure compliance with regulations, enforce content restrictions, and apply geographic policies. With DoH, DNS resolution becomes more centralized and abstracted from the local environment, often defaulting to global resolvers like Cloudflare’s 1.1.1.1 or Google Public DNS. These resolvers may be located in different jurisdictions and operate under different policies, which can limit the ability of TLD authorities to oversee query flows, detect abuse, or enforce geographic restrictions.

Moreover, the opacity introduced by encrypted DNS queries makes it more difficult for registry operators and cybersecurity professionals to monitor abuse patterns that rely on DNS behavior. Threat actors often register and weaponize domain names for phishing, botnets, and other malicious campaigns. Traditionally, DNS traffic analysis played a crucial role in identifying and neutralizing such threats. With DoH, some of this visibility is lost unless the resolver itself cooperates with security operations. This reliance on the policies and practices of DoH resolver operators shifts a portion of governance power from the traditional multistakeholder environment of ICANN and TLD registries to a smaller number of dominant technology companies.

National governments and regulators have expressed concern over this shift. In some jurisdictions, the use of encrypted DNS to circumvent local DNS filters has been viewed as a threat to national sovereignty or content regulation regimes. For example, countries with strict internet controls could see DoH as a mechanism to bypass state-mandated DNS blocklists, undermining their ability to enforce local laws. In response, some governments have proposed or implemented restrictions on DoH usage or mandated the use of specific resolvers within their borders. These moves, however, risk fragmenting the DNS into inconsistent experiences across jurisdictions and diluting the global interoperability that underpins the internet.

Despite these concerns, DoH also offers opportunities for cooperation and improved user protections, particularly if implemented with sensitivity to the broader internet governance ecosystem. TLD operators and registry service providers can engage with DoH resolver operators to establish data-sharing frameworks that protect user privacy while still allowing for security threat mitigation. For example, anonymized telemetry or abuse flagging mechanisms can help maintain situational awareness without compromising individual user data. Additionally, technical standards bodies like the IETF, where DoH was initially specified, provide forums for stakeholders to collaboratively address emerging challenges and promote implementation best practices.

ICANN, while not a regulatory authority over DNS resolution methods, has acknowledged the implications of DoH for TLD governance and the broader DNS infrastructure. Through its Security and Stability Advisory Committee (SSAC) and the Office of the CTO, ICANN has initiated studies and consultations to understand how encrypted DNS affects root server traffic, name collision risk, and abuse detection. These efforts aim to inform the ICANN community and foster a dialogue that bridges the technical, policy, and operational perspectives surrounding DoH.

Furthermore, the development of adaptive governance models may allow for the coexistence of DoH and traditional DNS while preserving the core values of the DNS system—openness, neutrality, and decentralization. Solutions such as DoH-aware enterprise policies, user opt-in configurations, resolver authentication, and public disclosure of resolver data-handling practices can mitigate many of the friction points. If resolver operators commit to respecting TLD-specific requirements and abuse mitigation efforts, they can become constructive partners rather than disruptive intermediaries.

The broader trend toward DNS encryption, including DNS over TLS (DoT) and emerging protocols like Oblivious DoH (ODoH), signals that the trajectory toward greater privacy in DNS resolution is unlikely to reverse. The challenge for TLD governance is not to resist this trend, but to adapt to it in ways that preserve accountability, resilience, and trust in the DNS. Through coordinated policy engagement, technological innovation, and mutual transparency, the apparent collision between DoH and TLD governance can be transformed into a model of modern cooperation.

The intersection of DNS over HTTPS and TLD governance thus reflects a deeper evolution in the internet’s architecture and governance philosophy. It forces stakeholders to confront difficult questions about jurisdiction, control, user rights, and public interest in an increasingly encrypted and decentralized digital world. Whether this leads to a fractured and polarized DNS ecosystem or to a more secure and collaborative infrastructure will depend on the willingness of TLD registries, resolver operators, regulators, and users to engage constructively and uphold the shared values that have sustained the internet for over three decades.

The emergence of DNS over HTTPS, commonly abbreviated as DoH, represents a significant evolution in the way DNS queries are transmitted across the internet. Originally designed to improve user privacy and security, DoH encrypts DNS queries and responses between clients and resolvers by sending them over HTTPS, the same protocol used for securing web traffic.…