Organisations concerned about ISP surveillance or metadata collection of DNS queries
Resolver Based Solutions
Encrypted DNS Resolver
Privacy-preserving DNS resolution with DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) support. Encrypts every query between your users and the resolver, preventing ISPs, network operators and malicious actors from observing or tampering with DNS traffic.
Key Capabilities
What this solution delivers
DNS-over-TLS (DoT)
DNS queries are encrypted using TLS on a dedicated port (853). This prevents any observer on the network path from seeing which domains your users are looking up. The resolver authenticates itself to the client using a TLS certificate, preventing man-in-the-middle attacks.
DNS-over-HTTPS (DoH)
DNS queries are wrapped inside standard HTTPS connections (port 443), making them indistinguishable from regular web traffic. This is particularly useful in environments where DoT traffic is blocked or filtered, such as restrictive corporate networks or public Wi-Fi.
Query Privacy
Neither your ISP, network administrator nor any intermediary on the network path can see the content of your DNS queries. This protects against passive surveillance, targeted data collection and metadata analysis of browsing behaviour.
European Data Sovereignty
The encrypted resolver operates on European infrastructure. Your DNS query data never leaves the European Economic Area unless you explicitly configure it to do so. This supports GDPR compliance and data sovereignty requirements.
Full DNSSEC Validation
Encryption protects the transport; DNSSEC validates the content. The encrypted resolver performs full DNSSEC validation on every response, combining confidentiality with integrity for complete DNS security.
TLS 1.3 with Forward Secrecy
All encrypted connections use TLS 1.3, providing the latest security guarantees including forward secrecy. Even if a private key is compromised in the future, past communications remain protected.
Technical Details
How it works
How Encrypted Resolution Works
When a user's device sends a DNS query, instead of transmitting it in plain text over UDP port 53, the query is encrypted using TLS (for DoT) or wrapped in an HTTPS request (for DoH). The encrypted query travels across the network to the resolver, where it is decrypted, resolved normally (including DNSSEC validation), and the response is encrypted and returned to the client. At no point is the query content visible to any network intermediary.
Client Configuration
Most modern operating systems and browsers support DoH and DoT natively. Windows 11, macOS, iOS, Android and all major browsers (Chrome, Firefox, Edge, Safari) can be configured to use an encrypted resolver. Sokomi provides configuration guides for all supported platforms, and for enterprise deployments, settings can be pushed via group policy or MDM.
QNAME Minimisation
The resolver implements QNAME minimisation (RFC 9156), which reduces the amount of information sent to upstream authoritative servers during the resolution process. Instead of sending the full domain name to every server in the resolution chain, only the minimum necessary labels are sent at each step, further protecting user privacy.
Performance
TLS session resumption (0-RTT where supported) minimises the latency overhead of encrypted connections. After the initial handshake, subsequent queries on the same connection add negligible latency. Connection pooling and keep-alive ensure efficient use of TLS sessions.
Logging Policy
The encrypted resolver can be configured with a strict no-query-logging policy for maximum privacy, or with configurable query logging for security monitoring and compliance. When logging is enabled, data is retained according to your specified retention period and processed in accordance with GDPR. Query logs are never shared with third parties.
Regulatory Context
The TDDDG (German Telecommunications Digital Services Data Protection Act) and the ePrivacy Directive both recognise the importance of communications confidentiality. Encrypted DNS resolution supports compliance with these frameworks by ensuring that DNS queries, which can reveal sensitive information about user behaviour, are protected from interception.
Use Cases
Who benefits from this solution
Enterprises requiring data sovereignty with DNS queries resolved within Europe
Remote and hybrid workforces using untrusted networks (public Wi-Fi, hotels, co-working spaces)
Government and defence agencies requiring encrypted communications at every layer
Privacy-conscious organisations subject to GDPR and TDDDG
Healthcare, legal and financial services where query metadata constitutes sensitive information
Frequently Asked Questions
Common questions about this solution
For most enterprise deployments, DoT is recommended because it uses a dedicated port (853) that is easy to identify and manage in network policy. DoH is preferable in environments where non-standard ports are blocked, such as restrictive guest networks, or where you want DNS traffic to be indistinguishable from web traffic. Sokomi supports both protocols and can advise on the best choice for your environment.
Encrypted DNS prevents passive observation of query content by network intermediaries (ISPs, Wi-Fi operators, on-path attackers). However, it does not hide the fact that a DNS connection is being made (traffic analysis can reveal that DoT traffic is occurring on port 853). It also does not protect against a compromised resolver itself. This is why using a trusted, dedicated resolver operated by Sokomi, rather than a public third-party service, provides stronger privacy guarantees.
Yes. The encrypted resolver can be deployed as a forwarder or overlay alongside your existing recursive infrastructure. You can configure specific clients or network segments to use the encrypted resolver while others continue using your existing setup. This allows a phased migration.
All query data is processed on European infrastructure operated by Sokomi. Your DNS queries never leave the EEA. This supports data sovereignty requirements and GDPR compliance. We do not share query data with any third party.
Protect the privacy of your DNS queries
Connect with our team to deploy an encrypted resolver that keeps your DNS traffic confidential and your query data within European jurisdiction.