Skip to content
← All articles

DNS over HTTPS (DoH): Privacy, Security, and How It Works

DNS over SSL/TLS проверку (DoH) is a protocol that encrypts DNS queries by sending them over HTTPS connections to a DNS resolver. Traditional DNS sends queries in plaintext over UDP port 53, making them visible to anyone who can observe network traffic — ISPs, network administrators, and attackers alike. DoH wraps DNS queries inside standard HTTPS traffic on port 443, making them indistinguishable from regular web browsing.

The Problem with Traditional DNS

Standard DNS (defined in RFC 1035) has several privacy and security issues:

  • No encryption — DNS queries and responses are sent in plaintext, exposing every domain name a user visits
  • No authentication — responses can be forged or modified in transit (DNS spoofing)
  • ISP visibility — internet service providers can log and sell browsing history based on DNS queries
  • Censorship vector — governments and organizations can block access by intercepting DNS responses
  • Man-in-the-middle attacks — attackers on the local network can redirect DNS responses to malicious servers
# Traditional DNS query — visible in plaintext
dig example.com @8.8.8.8

# Captured by network observer:
# Query: example.com A record
# Response: 93.184.216.34
# Everything visible including the domain name

How DoH Works

DoH encapsulates DNS queries in HTTP/2 requests sent to a DoH-compatible resolver over TLS-encrypted connections:

# DoH request (simplified)
POST https://dns.google/dns-query HTTP/2
Content-Type: application/dns-message
Accept: application/dns-message

[Binary DNS query payload]

The resolver processes the DNS query and returns the response over the same encrypted HTTPS connection. From a network perspective, this traffic looks identical to any other HTTPS request to the resolver's IP address.

Wire Format vs JSON Format

DoH supports two query formats:

FormatContent-TypeUse Case
Wire format (RFC 1035)application/dns-messageStandard binary DNS message, efficient for resolvers
JSON formatapplication/dns-jsonHuman-readable, convenient for debugging and API документацию
# JSON format query (Google's DoH)
curl -s "https://dns.google/resolve?name=example.com&type=A" | python3 -m json.tool
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "Answer": [
    {
      "name": "example.com",
      "type": 1,
      "TTL": 3600,
      "data": "93.184.216.34"
    }
  ]
}

DoH vs DoT vs Traditional DNS

FeatureTraditional DNSDoT (DNS over TLS)DoH (DNS over HTTPS)
Port53 (UDP/TCP)853 (TCP)443 (TCP)
EncryptionNoneTLSTLS (via HTTPS)
BlockableYes (port 53)Yes (port 853)Difficult (blends with HTTPS)
PerformanceFastest (no encryption overhead)ModerateModerate (HTTP/2 multiplexing helps)
PrivacyNoneQuery content hiddenQuery content hidden + blends with traffic
VisibilityFull (queries visible)Destination visible (port 853)Destination visible (resolver IP)

Major DoH Providers

ProviderDoH URLNotable Features
Cloudflarehttps://cloudflare-dns.com/dns-queryFastest, privacy-focused, no logging
Googlehttps://dns.google/dns-queryReliable, JSON API available
Quad9https://dns.quad9.net/dns-queryMalware blocking, non-profit
NextDNShttps://dns.nextdns.io/dns-queryCustomizable filtering, analytics

Enabling DoH

Browser Configuration

Most modern browsers support DoH natively:

  • Firefox: Settings → Privacy & Security → DNS over HTTPS → Max Protection
  • Chrome: Settings → Security → Use secure DNS → Choose provider
  • Edge: Settings → Privacy → Use secure DNS → Choose provider
  • Safari: Supports DoH via configuration profiles on macOS/iOS

System-Level Configuration

# Using systemd-resolved (Linux)
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes

# Using dnscrypt-proxy
# /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['cloudflare', 'google']
listen_addresses = ['127.0.0.1:53']
doh_servers = true

Implications for Network Security

DoH creates tension between user privacy and network security operations:

Benefits

  • Prevents DNS-based surveillance and censorship
  • Eliminates DNS spoofing and manipulation attacks
  • Protects against on-path attackers modifying DNS responses
  • Makes Wi-Fi and public network usage more secure

Challenges

  • Enterprise security teams lose visibility into DNS queries for threat detection
  • Parental controls and content filtering that rely on DNS become less effective
  • Malware can use DoH to bypass DNS-based security controls
  • Debugging network issues becomes harder without DNS query visibility
  • Split-horizon DNS (internal vs external resolution) may break

DoH and Web Monitoring

For web monitoring and uptime checking, DoH has practical implications:

  • DNS resolution time — DoH adds TLS overhead but benefits from HTTP/2 connection reuse
  • DNS propagation benchmark monitoring — DoH resolvers may cache differently from traditional resolvers
  • Availability checks — if your monitoring uses DoH, it may not reflect the DNS experience of users who do not
  • DNSSEC validation — DoH resolvers typically perform DNSSEC validation, adding a layer of authenticity

Summary

DNS over HTTPS is a significant privacy improvement for internet users, encrypting DNS queries that were previously sent in plaintext. While it creates challenges for enterprise network security and content filtering, it effectively prevents DNS surveillance, spoofing, and censorship. Major browsers and operating systems now support DoH natively, and adoption continues to grow. For web professionals, understanding DoH is important for accurate monitoring, debugging, and security planning.

Check your website right now

Check your site's DNS →
More articles: DNS
DNS
MX Records for Email: Step-by-Step Setup Guide
15.04.2026 · 173 views
DNS
DNS Records: Complete Guide for Webmasters
14.04.2026 · 124 views
DNS
Best DNS Lookup Tools 2026
15.06.2026 · 42 views
DNS
Types of DNS Servers Explained: Recursive, Authoritative, Root
15.04.2026 · 138 views