What is DNS-over-HTTPS (DoH)?

DNS-over-HTTPS (DoH) is an internet security protocol that encrypts DNS queries by sending them over HTTPS connections on port 443, the same port used for standard HTTPS traffic. Standardized by the IETF in RFC 8484 in October 2018, DoH prevents eavesdropping and manipulation of DNS traffic by making DNS requests indistinguishable from other encrypted web traffic.

Here's how it works: DoH encapsulates DNS messages in wire format inside HTTPS payloads with MIME type application/dns-message. The protocol uses TLS encryption to protect DNS queries from interception and supports HTTP/2 as the recommended minimum version.

This technical structure allows DoH to blend DNS traffic with regular web browsing, making it harder for third parties to monitor which websites you're visiting.

The privacy and security benefits of DoH are substantial for both individual users and organizations. As of 2024, over 90% of Firefox users in the US use DoH by default, protecting their DNS queries from man-in-the-middle attacks and unauthorized surveillance. DoH also prevents DNS hijacking and tampering, ensuring that DNS responses haven't been modified between the resolver and your device.

DoH does introduce some trade-offs that network administrators and security teams need to consider. Because DoH traffic looks identical to standard HTTPS traffic, it can bypass network filters and monitoring tools organizations use for security and policy enforcement. Windows Server 2022 and later versions now support DoH client functionality, showing that enterprise environments are adapting to this protocol despite the monitoring challenges it creates.

Understanding DoH is essential for anyone managing network infrastructure or making decisions about DNS security. The protocol represents a major shift in how DNS traffic is handled, balancing user privacy against network visibility in ways that affect everything from corporate security policies to home network configurations.

What is DNS-over-HTTPS (DoH)?

DNS-over-HTTPS (DoH) is an internet security protocol that encrypts DNS queries by sending them over HTTPS connections. This makes DNS requests look identical to regular web traffic. The IETF standardized the protocol in RFC 8484 in October 2018. It works by encapsulating DNS queries within HTTPS exchanges on port 443, the same port used for standard HTTPS traffic.

DoH protects user privacy by preventing third parties from eavesdropping on or manipulating DNS traffic. This addresses a critical security gap. Traditionally, DNS queries were sent in plain text and could be intercepted or modified through man-in-the-middle attacks.

How does DNS-over-HTTPS work?

DNS-over-HTTPS works by encrypting DNS queries and sending them through HTTPS connections on port 443. That's the same port your regular web traffic uses. This encryption prevents third parties from seeing which websites you're trying to visit or tampering with DNS responses. When your browser needs to resolve a domain name, it sends the DNS query wrapped in an HTTPS request to a DoH-enabled resolver, which then returns the encrypted response.

The protocol uses TLS encryption to protect DNS messages. This makes them indistinguishable from other HTTPS traffic.

Your DNS query gets packaged with a MIME-type application/dns-message and travels through the same secure channel as your web browsing. This approach offers two key advantages: it hides DNS queries from anyone monitoring your network connection and is harder to block since the traffic looks identical to standard HTTPS.

DoH was standardized by the IETF in RFC 8484 in October 2018. Major browsers and operating systems now support it. Firefox enabled DoH by default for US users, and Windows Server 2022 includes built-in client support.

The protocol differs from DNS-over-TLS (DoT), mainly in terms of transport. DoT uses port 853, which makes it easier to identify and block, while DoH blends into regular web traffic on port 443.

What are the benefits of DNS-over-HTTPS?

DNS-over-HTTPS (DoH) offers significant advantages for users and organizations by encrypting DNS queries through HTTPS connections. Here are the key benefits of DNS-over-HTTPS.

• Enhanced privacy: DoH encrypts DNS queries inside HTTPS traffic, preventing ISPs and network operators from seeing which websites you visit. This encryption makes your DNS requests look like regular web traffic, protecting your browsing patterns from surveillance.
• Protection from tampering: DoH prevents man-in-the-middle attacks where malicious actors intercept and modify DNS responses. The TLS encryption ensures that DNS queries and responses can't be altered during transmission, keeping you safe from DNS spoofing attacks.
• Bypasses network restrictions: DoH uses port 443, the same port as regular HTTPS traffic. This makes it harder for networks to block or filter DNS queries. You can access DNS services even on networks that restrict traditional DNS traffic on port 53.
• Improved security: DoH protects against DNS cache poisoning and other DNS-based attacks by encrypting the entire query-response exchange. Only you and your chosen DNS resolver can see the contents of your DNS requests.
• Prevents DNS hijacking: DoH stops attackers from redirecting your DNS queries to malicious servers that could send you to fake websites. The encrypted connection verifies that you're communicating with your intended DNS resolver, not an imposter.
• Better user control: DoH lets you choose your own DNS resolver regardless of network settings, giving you more control over your DNS privacy. Major browsers support DoH configuration, so you can select trusted DNS providers that match your privacy preferences.
• Compliance support: DoH helps organizations meet data protection requirements by encrypting DNS traffic that might contain sensitive information about user behavior. This encryption adds another layer of privacy protection for customer data in transit.

What are the drawbacks of DNS-over-HTTPS?

The drawbacks of DNS-over-HTTPS refer to the limitations and challenges that organizations and users face when implementing or working with this encrypted DNS protocol. They are listed below.

• Network visibility loss: DoH encrypts DNS queries within HTTPS traffic on port 443, making them indistinguishable from regular web traffic. IT teams can't monitor or filter DNS requests at the network level, complicating security monitoring and content filtering and creating blind spots in your network security infrastructure.
• Centralized resolver control: DoH often directs DNS queries to major public resolvers operated by large technology companies, bypassing local DNS servers. Organizations lose control over DNS resolution policies and can't enforce internal DNS rules. This centralization shifts DNS control away from network administrators to browser or application vendors.
• Content filtering bypass: DoH allows users to circumvent parental controls, workplace content filters, and network security policies that rely on DNS-level blocking. Malicious actors can use DoH to hide command-and-control communications. Schools and enterprises struggle to enforce acceptable use policies when DoH is enabled by default.
• Troubleshooting complexity: Network administrators can't easily inspect DNS traffic when it's encrypted within HTTPS connections. Standard network monitoring tools can't capture DoH queries, making it harder to diagnose DNS-related issues. This increases the time needed to resolve connectivity problems.
• Split DNS conflicts: DoH can break split DNS configurations where internal and external DNS servers provide different responses for the same domain. Users may receive public DNS responses instead of internal ones, causing access failures to private resources. This affects VPN users and employees accessing internal company services.
• Performance overhead: DoH adds TLS encryption overhead to every DNS query, which can increase latency compared to traditional DNS. The protocol requires maintaining HTTPS connections to DNS resolvers, consuming more resources. Mobile devices may experience faster battery drain due to additional encryption processing.
• Browser-level implementation: DoH is often implemented at the browser level rather than the operating system level, creating inconsistent DNS behavior across applications. Some apps use DoH while others use traditional DNS, fragmenting network behavior. This makes it harder to apply uniform DNS policies across all network traffic.

What is the difference between DoH and DoT?

The difference between DoH and DoT comes down to transport protocol and port usage. DNS-over-HTTPS (DoH) sends encrypted DNS queries over HTTPS using port 443. DNS-over-TLS (DoT) sends encrypted DNS queries over TLS using port 853.

Both protocols encrypt DNS traffic to protect user privacy and prevent interception. But there's a key distinction: DoH disguises DNS queries as regular HTTPS traffic, making them harder to identify or block. DoT uses a dedicated port (853), which makes it easier for network administrators to monitor and control DNS traffic. It's also simpler to block when needed.

How to implement DNS-over-HTTPS

You implement DNS-over-HTTPS by configuring your DNS client to send encrypted DNS queries through HTTPS connections to a DoH-capable resolver, then testing to confirm queries are encrypted.

1. First, choose a DoH-capable DNS resolver that meets your needs, for example Gcore.
2. Next, configure your operating system or application to enable DoH. On Windows 11, go to Network & Internet settings, select your network adapter properties, and add your chosen DoH resolver's IP address in DNS settings with encryption enabled. Firefox users can enable DoH directly in browser settings under Privacy & Security.
3. Then, verify your DNS client supports HTTPS and can establish TLS connections on port 443.
4. DoH encapsulates DNS messages with MIME type application/dns-message inside HTTPS payloads, so your client needs proper HTTPS support with HTTP/2 or later.
5. Configure your DoH resolver URL in your client settings. The URL typically follows the format https://dns.example.com/dns-query, where the resolver accepts POST or GET requests containing encrypted DNS queries in wire format.
6. Test your DoH implementation by visiting a DNS leak test website or checking network traffic. Confirm that DNS queries now travel over port 443 instead of the traditional port.
7. Verify that queries appear as standard HTTPS traffic rather than plain DNS.
8. Monitor query performance and reliability after implementation. DoH adds slight latency compared to plain DNS due to HTTPS encryption overhead, typically 10-30ms depending on resolver distance and network conditions.

For enterprise deployments, consider that traditional network tools can't easily monitor DoH traffic. Queries look identical to regular HTTPS traffic, which may affect your security visibility requirements.

What are the security implications of DNS-over-HTTPS?

The security implications of DNS-over-HTTPS refer to the effects of encrypting DNS queries through HTTPS connections on network security, user privacy, and threat detection capabilities. The security implications of DNS-over-HTTPS are listed below.

• Privacy protection: DoH encrypts DNS queries using TLS, preventing internet service providers and network observers from seeing which websites users visit. This encryption makes DNS traffic look identical to regular HTTPS traffic on port 443, protecting users from surveillance and profiling.
• Bypassing network controls: Organizations lose visibility into DNS traffic when DoH is enabled because queries bypass traditional DNS monitoring tools. Security teams can't inspect encrypted DNS requests to detect malware communication, data exfiltration, or access to blocked domains. They'll need alternative monitoring solutions.
• Man-in-the-middle protection: DoH prevents attackers from intercepting or modifying DNS responses through TLS encryption. Traditional DNS queries travel in plain text, which allows attackers to redirect users to malicious sites through DNS spoofing attacks.
• Centralized resolver concerns: Major browsers direct DoH queries to specific public resolvers by default, concentrating DNS traffic with a few providers. This centralization creates new privacy concerns. These providers can potentially track browsing patterns across millions of users.
• Malware communication channels: Attackers can use DoH to hide command-and-control communications within encrypted HTTPS traffic. Security tools that rely on DNS monitoring to detect malicious domains can't inspect DoH queries without decrypting HTTPS traffic.
• DNS cache poisoning resistance: DoH queries connect directly to trusted resolvers over encrypted channels, making cache poisoning attacks much harder to execute. Traditional DNS allows attackers to inject false records into resolver caches because responses aren't authenticated or encrypted.
• Enterprise security challenges: Corporate networks struggle to enforce acceptable use policies when employees use DoH-enabled browsers. IT departments must either block DoH traffic entirely or implement proxy solutions that decrypt HTTPS traffic. Both options create new privacy and security trade-offs.

Frequently asked questions

Is DNS-over-HTTPS enabled by default in my browser?

It depends on your browser and location. Firefox enables DoH by default for users in the US and select regions. Chrome, Edge, and Safari activate it only when your system DNS provider supports DoH.

Does DoH slow down my internet connection?

No, DoH adds minimal latency of 1–3ms due to TLS encryption overhead. This is negligible for typical browsing and won't affect your internet speed noticeably.

Can my ISP see my browsing history with DoH enabled?

Your ISP can't see your browsing history or specific DNS queries when DoH is enabled. DNS requests are encrypted within HTTPS traffic on port 443, making them invisible to your internet service provider.

Is DNS-over-HTTPS the same as a VPN?

No, they're different. DNS-over-HTTPS encrypts only your DNS queries, while a VPN encrypts all your internet traffic and routes it through a remote server. DoH protects your DNS lookups from interception, but it doesn't hide your IP address or encrypt your browsing activity the way a VPN does.

How does DoH affect content filtering and parental controls?

DoH breaks traditional content filtering and parental controls. It encrypts DNS queries and routes them through port 443, which makes network-level DNS filtering impossible to detect or block. This means the filtering tools that rely on monitoring DNS traffic can't see or control what's being requested.

Should enterprises block or allow DoH traffic?

It depends on your security requirements. Enterprises should allow DoH to protect employee privacy and prevent DNS hijacking, but implement DNS filtering at the DoH resolver level rather than blocking DoH traffic entirely.