DoH

The same domain can produce different answers in a browser and on the command line. A local DNS server that was configured correctly in the company network may suddenly stop behaving the way it used to after a system update. You may still be looking up standard A, AAAA, or MX records, but packet capture no longer shows the familiar UDP 53 traffic. DoH and DoT are not simply “encrypted DNS”. They change the path DNS takes after it leaves the client, who can see it, and who can control it.