Encrypted DNS bypasses local policy when a browser, operating system, VPN, or application sends lookups directly to a different recursive resolver instead of the local policy resolver. Reproduce the failure on one affected device, prove where its fresh query arrives, align that resolver path with the intended policy, and retest without disabling encryption broadly.
Treat this as a routing diagnosis, not a reason to add a stronger blocklist. Preserve the affected device, exact hostname, network, rule, expected action, and five-minute window before changing settings. If the expected resolver never receives the query, editing its local rule cannot fix the path that actually won.
Prove the query took a side door
DNS over HTTPS and DNS over TLS encrypt traffic between a client and its selected resolver. RFC 8484 explicitly recognizes that applications can use a resolver identified by a URI, while RFC 9076 describes application-specific resolver selection outside the system resolver.12 Encryption therefore changes transport visibility; resolver selection changes which policy can act.
- Reproduce one fresh lookup from the affected device on the failing network and note the exact time.
- Confirm whether the expected local or managed resolver received that query and which action it returned.
- Compare the browser, operating-system, VPN, security agent, and application resolver choices.
- Repeat with one known allowed hostname and one harmless provider-owned blocked test hostname.
- Change only the selector proven to send the query outside the intended policy path.
Absence at the local resolver is the key clue. Do not infer bypass merely because the site loaded: a browser may reuse an address, connection, or cached asset without a fresh lookup. Conversely, a query at a remote resolver proves routing, but not deliberate evasion. Defaults, enterprise policy, VPN behavior, and app configuration can all select it.
Inventory every resolver selector
Write the resolution chain from application to recursive resolver. Begin with browser Secure DNS or application-specific DNS, then inspect the operating-system encrypted DNS profile, VPN-provided DNS, security software, router advertisement or DHCP information, and manual settings. Check both IPv4 and IPv6, plus the device’s behavior after moving between Wi-Fi, cellular, office, and guest networks.
Compare observed traffic with intended ownership. A company-managed browser may be expected to follow an approved resolver template, while an unmanaged application may follow the system resolver. A VPN may intentionally own DNS for the tunnel. Document which control is authoritative rather than stacking contradictory settings and hoping the local router wins.
DNS filtering's reach stays narrow whichever transport is used. It can act on domain lookups and policy outcomes. It cannot read page contents, full URLs, search terms, in-app chats, voice audio, or full browser history. If the intended resolver returns the expected result but the application still works, investigate cached connections, proxies, alternate hostnames, or application behavior above DNS.
Choose a policy-compatible encrypted path
The clean fix is usually to align encryption and policy, not choose one against the other. Point managed clients to an approved encrypted resolver that applies the required policy, configure supported applications to use the system resolver, or define which VPN resolver owns the connection. On networks with split DNS, preserve access to private names and document how roaming devices behave away from that network.
If an application cannot use an approved path, decide at the policy-owner level whether it should be supported, isolated, or denied. Do not silently create a broad domain allow to compensate: the original queries still bypass the local policy, and the new allow weakens correctly routed resources. Likewise, do not intercept encrypted DNS in a way that users mistake for end-to-end privacy.
Verify bypass closure with two results
After one change, repeat the original network and device test. Confirm that the fresh query reaches the intended resolver over the approved transport, matches the expected resource and rule, and returns the expected action. Then verify a representative allowed workflow so the correction has not broken authentication, updates, or another required dependency.
Repeat once after a network transition because resolver selection can change with context. Record the old resolver, winning selector, approved endpoint, matched policy action, test results, owner, and review trigger. Prefer aggregate health afterward. Open detailed retained activity only for the named resource and short troubleshooting window, then close the review.
Avoid privacy-hostile shortcuts
- Do not disable encrypted DNS across every device before proving which selector caused the mismatch.
- Do not block arbitrary HTTPS destinations merely because they might carry DNS over HTTPS.
- Do not treat every remote resolver choice as malicious or every missing local log as user intent.
- Do not weaken shared enforced policy with a local allow intended to conceal a routing problem.
- Do not retain a broad activity window when one device, hostname, and timestamp answer the question.
Encrypted-path questions
Does encrypted DNS automatically defeat every local DNS rule?
No. Encryption protects the transport to a chosen resolver; it does not determine that resolver’s policy. A device can use an encrypted endpoint that applies the intended rules. Bypass occurs when the chosen resolver or scope differs from the policy path you expected.
Should a network block all DNS over HTTPS traffic?
Not as a first troubleshooting move. HTTPS-based DNS can be difficult to distinguish from other HTTPS, and indiscriminate blocking can damage privacy and unrelated applications. Prefer managed resolver settings, documented approved endpoints, and evidence that one specific path conflicts with policy.
Can DNS logs prove what someone viewed?
No. A DNS event shows a lookup and policy outcome, not page contents or intent. Applications, redirects, prefetching, and embedded resources also generate lookups. Use the smallest relevant time window to diagnose the resolver path, not to reconstruct a person’s browsing.
Align one Veilty resource path
In Veilty, inspect one resource inside its household Space or team Tenant. Reusable baseline and enforced policies can apply across those boundaries; a resource may override baseline policy when permitted, but cannot weaken enforced policy. Account invitations grant membership only, and an accepted member needs an assigned Space or Tenant role for scoped access. Retained activity belongs to its Space or Tenant, is end-to-end encrypted with user-held keys, and is visible only through permitted roles, while the resolver necessarily processes live requests. Managed BYOD support is planned for enterprise use, so diagnose currently supported resources without implying personal-device management. Align one approved encrypted path, then verify one allowed and one blocked result.