Interoperability with Emerging DNS Standards: DoH and DoT Considerations

As the 2026 round of ICANN’s New gTLD Program approaches, applicants are preparing to operate in a far more complex technical environment than existed during the 2012 application cycle. Among the most important developments since that time is the widespread adoption of encrypted DNS protocols—namely DNS over HTTPS (DoH) and DNS over TLS (DoT). These standards, which encrypt DNS queries to enhance user privacy and security, have rapidly become integral components of modern DNS resolution architecture. For new gTLD applicants, understanding how their proposed top-level domains will interoperate with these emerging standards is not only a technical requirement but also a strategic imperative.

DNS over HTTPS and DNS over TLS were developed to address long-standing concerns about the transparency and vulnerability of traditional DNS traffic. Historically, DNS queries were sent in plain text, making them susceptible to interception, surveillance, manipulation, and censorship. With the introduction of DoH and DoT, DNS traffic can be encrypted in transit, preventing unauthorized actors from viewing or altering queries. These protocols are now supported by major browsers, operating systems, and DNS resolvers, including Google Chrome, Mozilla Firefox, Microsoft Windows, Apple iOS, and public DNS providers like Cloudflare, Google Public DNS, and Quad9.

For gTLD operators, this shift raises several key considerations. First and foremost is the need for compatibility with encrypted resolution ecosystems. While DoH and DoT are designed to be backward-compatible with traditional DNS infrastructure, there are nuances in how different resolver implementations handle zone configuration, query caching, and failover behavior. New gTLD registries must ensure that their authoritative name servers are discoverable and responsive under both traditional and encrypted resolver scenarios. This involves rigorous configuration testing, support for EDNS(0) extensions, and compliance with DNSSEC best practices, all of which contribute to ensuring trust and integrity regardless of the transport protocol used.

Another critical consideration is resolver policy alignment. Many DNS resolvers that support DoH and DoT now operate with stricter filtering policies, especially when it comes to blocking domains associated with malware, phishing, or other forms of DNS abuse. Given that ICANN’s 2026 round places renewed emphasis on DNS abuse mitigation, applicants must be prepared to work within these tighter policy environments. Failure to do so may result in newly delegated TLDs being partially or entirely inaccessible via encrypted resolvers if flagged for abuse or misconfiguration. Proactive engagement with resolver operators and threat intelligence communities can help new gTLD operators stay ahead of policy enforcement risks and maintain global reachability.

Interoperability with encrypted DNS also introduces challenges related to performance monitoring and analytics. Traditional DNS operators have long relied on passive DNS monitoring to analyze query patterns, detect anomalies, and optimize performance. With the rise of DoH and DoT, much of this visibility is reduced, particularly when resolvers aggregate queries or mask end-user IP addresses. This creates a tension between user privacy and operational insight. Registry operators must therefore adopt new observability techniques, such as deploying authoritative server-side telemetry, participating in cooperative data-sharing initiatives, and using synthetic transaction monitoring to approximate real-world resolution behavior.

For some applicants, especially those pursuing .brand TLDs or specialized community TLDs, the encrypted DNS environment offers unique opportunities for innovation. By coordinating with resolver providers or deploying their own DoH/DoT-capable recursive infrastructure, these operators can build trusted DNS pathways for their users, ensuring both privacy and authenticity. This is particularly relevant for TLDs tied to sensitive sectors such as finance, healthcare, or education, where data integrity and confidentiality are paramount. Operators might consider offering DoH endpoints under their own TLD—such as doh.example or resolver.brand—which can act as trusted recursive resolvers that are tightly integrated with their content delivery or identity verification systems.

Security compliance is another area where DoH and DoT play a central role in shaping registry obligations. ICANN’s updated Registry Agreement includes specific provisions requiring gTLD operators to implement and maintain measures against DNS abuse, and this includes consideration of how DNS resolution interacts with encryption protocols. Applicants must be ready to demonstrate their capability to interoperate with DoH and DoT while still detecting, reporting, and mitigating harmful activity. Tools that support encrypted threat detection—such as anomaly detection based on response patterns, honeypots, and behavior-based analysis—are becoming essential components of a registry’s technical toolkit.

Additionally, new gTLD applicants should account for regulatory variances that affect encrypted DNS usage. In some jurisdictions, DoH and DoT are actively encouraged as part of national cybersecurity strategies, while in others, they may be restricted or closely monitored. Applicants operating or marketing their TLDs in such regions must navigate the policy landscape carefully, ensuring their DNS infrastructure complies with local laws while still aligning with global best practices. This may involve implementing resolver fallback mechanisms, geo-targeted resolver configurations, or public engagement to address concerns about DNS encryption and transparency.

Another evolving trend is the integration of DoH and DoT into enterprise network environments, where internal DNS routing policies may conflict with the default behavior of operating systems or browsers that prioritize encrypted external resolvers. For applicants offering TLDs with enterprise or industrial use cases, such as .bank, .cloud, or .tech, it is important to consider how their TLD will behave in hybrid DNS environments. Compatibility testing with enterprise-grade firewalls, DNS proxies, and split-horizon configurations becomes necessary to avoid unintentional inaccessibility or DNS resolution loops.

ICANN itself has recognized the growing impact of DoH and DoT and has begun integrating these considerations into the New gTLD Program’s technical evaluation criteria. Applicants will need to answer more detailed questions about how their registry infrastructure supports secure resolution, what protocols they implement, and how they address encrypted DNS compatibility. ICANN’s technical panels will assess not only the availability of DNS services but also the resilience and adaptability of registry systems to future protocol shifts.

In conclusion, the rise of encrypted DNS standards such as DoH and DoT marks a major evolution in the architecture of internet naming and resolution. For applicants in the 2026 New gTLD Program, ensuring interoperability with these protocols is no longer optional—it is an operational necessity and a competitive advantage. Success in this environment depends on technical preparedness, cross-sector collaboration, and a deep understanding of the privacy and performance implications of DNS encryption. As the DNS landscape continues to evolve, those who embrace these standards with clarity and foresight will be best positioned to offer secure, accessible, and future-proofed top-level domains in the next era of internet expansion.

You said:

As the 2026 round of ICANN’s New gTLD Program approaches, applicants are preparing to operate in a far more complex technical environment than existed during the 2012 application cycle. Among the most important developments since that time is the widespread adoption of encrypted DNS protocols—namely DNS over HTTPS (DoH) and DNS over TLS (DoT). These…