The DNS over HTTPS ( DoH) protocol is the latest improved solution for the Domain Name System ( DNS) . However,userscan use third-party DoH services to avoid?the original supervision of the intranet,so the abnormal traffic detection method is no longersuitable for detecting DoH traffic. Aiming at this problem,a DTESI algorithm is proposed. Firstly,DoH traffic is screened as abnormaltraffic from all network traffic based on information entropy. Then,according to the characteristic that the response mode?
is always thesame when the DoH server establishes a TLS connection with the same client,the TLS negotiation between the client and the DoH serveris detected by fingerprint identification to determine the identity of the DoH server. Finally,the Top -K sampling algorithm is used toselect the top K active hosts in the network within a certain period of time to focus on traffic detection,so that the proposed algorithm canbe applied to the network of medium and large organizations. The experimental results show that the accuracy rate of DoH serviceproviders detected by DTESI algorithm exceeds 94% for the abnormal traffic found. On this basis,the detection time and the detectioncoverage of all DoH traffic in the network are compared under different K values,and it is showed that a reasonable choice of K value canimprove the overall performance of the algorithm.