On January 16, 2025, the Biden administration signed an Executive Order that includes the strongest government mandate for encrypted DNS to date. All federal civilian agencies must implement DNS over HTTPS (DoH) or DNS over TLS (DoT).
What the Order Requires
- Within 90 days — CISA must publish template contract language requiring that any DNS resolver product used by the federal government supports encrypted DNS.
- Within 180 days — Agencies must enable encrypted DNS protocols (DoH or DoT) wherever their existing clients and servers support them.
Notably, the Trump administration’s subsequent cybersecurity executive order in June 2025 preserved these DNS encryption requirements — demonstrating bipartisan consensus that unencrypted DNS is a security liability.
Why Unencrypted DNS Is a Problem
Traditional DNS (port 53) sends queries in plaintext. Anyone on the network path — ISPs, coffee shop Wi-Fi operators, or attackers — can:
- See every domain you visit
- Modify DNS responses to redirect you to malicious sites
- Block specific domains silently
Encrypted DNS (DoH on port 443, DoT on port 853) wraps queries in TLS encryption, making them unreadable to third parties.
What This Means for the Industry
When the U.S. government mandates a security standard, the private sector typically follows. Expect:
- Enterprise DNS vendors to accelerate DoH/DoT support
- Compliance frameworks to start requiring encrypted DNS
- International governments to issue similar mandates
If you’re not using encrypted DNS yet, now is the time to start. HostDNS supports modern DNS protocols and makes it easy to deploy encrypted DNS for your domains. Check our pricing plans to get started.
Sources: ISC Blog, Internet Society, Infoblox