DNS over HTTPS DoH Regulatory Reception Globally
- by Staff
DNS over HTTPS, or DoH, is a protocol that encrypts domain name system queries using HTTPS, thereby masking DNS traffic from intermediaries such as internet service providers (ISPs), network administrators, and national surveillance systems. By routing DNS queries through secure, encrypted HTTPS connections, DoH prevents third parties from observing which websites users are attempting to access. While this enhancement offers greater privacy and security for end-users, it also disrupts long-standing regulatory, commercial, and national security mechanisms that rely on DNS visibility. Consequently, the global regulatory reception to DoH has been mixed, shaped by local priorities ranging from consumer privacy to content control, cybersecurity, and internet sovereignty.
In the United States, the adoption of DoH has largely been welcomed by privacy advocates and technology companies, but it has raised concerns among ISPs, law enforcement, and regulatory bodies. The Federal Communications Commission (FCC) has not taken a direct regulatory stance on DoH itself, but the broader context of net neutrality repeal and deregulation has left ISPs with fewer legal avenues to challenge the deployment of privacy-enhancing technologies. Some ISPs, such as Comcast, initially criticized Google and Mozilla for enabling DoH by default in their browsers, arguing that it would undermine parental controls, enterprise security policies, and public safety systems. However, in the absence of federal data protection laws, there is little regulatory force behind these objections. Meanwhile, browser vendors have pressed forward with DoH adoption, emphasizing user choice and transparency in resolver selection.
The United Kingdom has taken a more critical view. In 2019, the UK’s Internet Services Providers’ Association (ISPA) controversially nominated Mozilla as an “internet villain” for its plans to roll out DoH in Firefox, citing concerns that it would circumvent national content filtering systems, including mechanisms designed to block child abuse material and extremist content. The UK government and law enforcement agencies have expressed reservations about DoH’s potential to thwart legal interception of DNS traffic, which plays a critical role in cybercrime investigations and enforcement of court orders. Although Mozilla and Google have made accommodations—such as limiting DoH rollout to certain markets and allowing enterprise-level opt-outs—the protocol remains under informal scrutiny in the UK, where legislative tools like the Investigatory Powers Act rely on visibility into DNS traffic for operational effectiveness.
In the European Union, the regulatory landscape for DoH is shaped by the General Data Protection Regulation (GDPR), which reinforces the right to data privacy and imposes strict requirements on data processors. From a compliance standpoint, DoH aligns well with the GDPR’s principles by minimizing data exposure and reducing reliance on unencrypted communication channels. However, the EU’s emphasis on data localization and controller accountability creates potential tension. If DoH resolvers are operated by foreign companies—especially U.S.-based firms like Google or Cloudflare—concerns about transatlantic data transfers under the GDPR’s international transfer rules come into play. The invalidation of the Privacy Shield framework by the Court of Justice of the European Union in 2020 has exacerbated these concerns, leading regulators to question whether DoH traffic routed through U.S. entities can be lawfully processed without additional safeguards.
France’s national cybersecurity agency, ANSSI, has explicitly raised alarms about DoH, warning that its use could undermine national cybersecurity operations and frustrate the ability of internet service providers to enforce lawful content restrictions. The agency has encouraged enterprises to disable or override DoH within internal networks and has proposed that public DNS resolvers operating in France comply with regulatory registration and oversight. Germany has taken a more balanced view, with the Federal Office for Information Security (BSI) recommending DoH implementation alongside enterprise DNS logging for security auditing. Still, the broader policy conversation in the EU remains unsettled, reflecting a tension between fostering privacy innovation and maintaining state-level digital governance.
In authoritarian regimes, DoH poses a more existential threat to established models of information control. In China, where the Great Firewall relies heavily on DNS filtering and injection to block access to prohibited content, DoH is viewed as a circumvention tool. Although not explicitly banned, DoH services have been throttled or disrupted at the network level, and some DoH-enabled applications have been targeted for removal from domestic app stores. The Chinese government has instead promoted its own encrypted DNS protocol—DoH China—which enables encryption while preserving state control over resolver infrastructure. Russia has taken a similar approach, implementing laws requiring all DNS traffic to flow through state-approved servers and mandating that ISPs block unauthorized DNS services. In this regulatory climate, DoH services that operate beyond the control of national authorities are likely to face technical censorship or legal prohibition.
In democracies with robust internet freedoms, such as Canada, Australia, and Japan, DoH has been generally well received but not without caveats. Canadian regulators have expressed cautious support, noting its alignment with the country’s privacy values, while raising concerns about the monopolization of DNS traffic by a small number of global providers. Australia’s cybersecurity agencies have warned that unregulated DoH adoption could hamper threat detection and compliance with mandatory data retention laws. Japan, by contrast, has encouraged ISPs to voluntarily adopt encrypted DNS protocols as part of its national cybersecurity strategy, seeing them as compatible with privacy goals and modern digital infrastructure.
The multiplicity of responses reflects the inherently geopolitical nature of DNS regulation. Whereas the DNS was once a centralized and globally coordinated system under ICANN’s stewardship, the advent of encrypted DNS protocols like DoH introduces the possibility of fragmentation—where countries, corporations, and users operate within discrete and incompatible naming and resolution environments. Regulators who fear this outcome argue that DoH undermines the universal addressability of the internet and frustrates legitimate state interests in cybersecurity, consumer protection, and law enforcement. Advocates counter that centralized DNS traffic is a surveillance risk, and that users have a right to determine who processes their DNS queries and under what conditions.
As of now, there is no global consensus on the regulation of DoH, nor a binding international framework governing its use. Most countries are watching and waiting, with some adopting interim technical measures—such as corporate DNS filters, network-level DoH blocking, or resolver whitelisting. At the same time, the technical community continues to evolve the protocol, including newer variants like DNS over TLS (DoT) and the emerging Oblivious DoH (ODoH), which seeks to separate the querying client from the resolving server through proxy infrastructure. These developments may help ease some of the regulatory tensions by enabling privacy without entirely precluding accountability.
In conclusion, the regulatory reception to DNS over HTTPS varies widely across the globe, shaped by each jurisdiction’s priorities in privacy, security, and information control. While the protocol offers significant benefits to end-users, its deployment challenges traditional models of internet governance and forces a reassessment of DNS as both a technical utility and a point of regulatory leverage. As the protocol matures and its adoption widens, stakeholders will need to balance privacy protections with legitimate public policy concerns—ideally through transparent, interoperable standards rather than fractured national mandates.
DNS over HTTPS, or DoH, is a protocol that encrypts domain name system queries using HTTPS, thereby masking DNS traffic from intermediaries such as internet service providers (ISPs), network administrators, and national surveillance systems. By routing DNS queries through secure, encrypted HTTPS connections, DoH prevents third parties from observing which websites users are attempting to…