Native DNS Encryption

Built on encrypted DNS by design, not as an optional add-on.

All Hafnova services are designed to operate over encrypted DNS. We do not currently offer a public recursive service over plain DNS, and services cannot be accessed without encrypted transport.

For organizations that must preserve local non-encrypted DNS compatibility, this can be handled internally through Dohzel Proxy inside the trusted network perimeter.

Explore Dohzel Proxy

Encrypted DNS is no longer optional

Hafnova considers DNS encryption a baseline for modern digital privacy. DNS requests can expose:

which services or websites a user accesses
when those services are accessed
browsing patterns over time
behavioral habits
infrastructure usage and digital dependencies

Unencrypted DNS over public networks is easy to:

read
intercept
store
analyze
profile at scale

Privacy should not depend on network luck

Without encryption in transit, passive observers may infer critical DNS metadata:

what domain is being requested
at what moment
by which network path
at what frequency

DNS confidentiality should be protected by design whenever possible.

DNS data is small, but highly revealing

Even with encrypted application traffic, plaintext DNS can leak meaningful behavioral intelligence:

visited websites
application usage patterns
business tools and cloud services in use
access times and activity habits
personal or organizational behavioral fingerprints

Encrypted by default across Hafnova services

encrypted DNS is the expected operating path
plain public DNS is not the default access method
service consumption is aligned with modern confidentiality requirements

Public plain-DNS recursion is not provided at this stage by design, to avoid avoidable privacy weakness.

Where Dohzel Proxy fits

In environments that still need local plaintext DNS, Dohzel Proxy provides a practical bridge:

keep local DNS usage simple for internal systems

handle non-encrypted DNS inside the local network

forward requests securely toward Hafnova services using encrypted DNS

preserve compatibility while improving privacy beyond the local perimeter

Architectural principle

if DNS must remain unencrypted somewhere, keep it local
once traffic leaves the internal network, protect it
do not expose public-facing services through avoidable plaintext DNS paths
reduce the opportunity for passive interception and profiling

Why we made this choice

Simplicity is not enough if privacy is lost. Plain DNS requests are:

easy to read
easy to store
easy to correlate
easy to profile

For Hafnova, that exposure is incompatible with a modern security and privacy posture.

Why Native DNS Encryption matters

Better confidentiality in transit

Stronger privacy by design

Cleaner trust model

Modern service architecture

Practical compatibility path

What this means operationally

Hafnova services are meant to be consumed over encrypted DNS
direct plain-DNS public access is not the current model
organizations can still integrate local infrastructure through Dohzel Proxy
confidentiality is treated as a built-in property, not an optional enhancement

Example use cases

Privacy-conscious enterprise DNS

Secure DNS service consumption

Controlled local compatibility

Reduced profiling exposure

DNS confidentiality as a baseline, not a premium feature

Hafnova services are built to operate over encrypted DNS by default, because unencrypted public DNS remains easy to intercept, store, and profile, while Dohzel Proxy provides a practical way to preserve local compatibility without exposing DNS traffic beyond the trusted network.

Protect DNS privacy by design

Use encrypted DNS natively, and keep plaintext DNS where it belongs: inside the local network, only when necessary.