DNS over HTTPS (DoH): Privacy, Security, and How It Works
DNS over SSL/TLS проверку (DoH) is a protocol that encrypts DNS queries by sending them over HTTPS connections to a DNS resolver. Traditional DNS sends queries in plaintext over UDP port 53, making them visible to anyone who can observe network traffic — ISPs, network administrators, and attackers alike. DoH wraps DNS queries inside standard HTTPS traffic on port 443, making them indistinguishable from regular web browsing.
The Problem with Traditional DNS
Standard DNS (defined in RFC 1035) has several privacy and security issues:
- No encryption — DNS queries and responses are sent in plaintext, exposing every domain name a user visits
- No authentication — responses can be forged or modified in transit (DNS spoofing)
- ISP visibility — internet service providers can log and sell browsing history based on DNS queries
- Censorship vector — governments and organizations can block access by intercepting DNS responses
- Man-in-the-middle attacks — attackers on the local network can redirect DNS responses to malicious servers
# Traditional DNS query — visible in plaintext
dig example.com @8.8.8.8
# Captured by network observer:
# Query: example.com A record
# Response: 93.184.216.34
# Everything visible including the domain nameHow DoH Works
DoH encapsulates DNS queries in HTTP/2 requests sent to a DoH-compatible resolver over TLS-encrypted connections:
# DoH request (simplified)
POST https://dns.google/dns-query HTTP/2
Content-Type: application/dns-message
Accept: application/dns-message
[Binary DNS query payload]The resolver processes the DNS query and returns the response over the same encrypted HTTPS connection. From a network perspective, this traffic looks identical to any other HTTPS request to the resolver's IP address.
Wire Format vs JSON Format
DoH supports two query formats:
| Format | Content-Type | Use Case |
|---|---|---|
| Wire format (RFC 1035) | application/dns-message | Standard binary DNS message, efficient for resolvers |
| JSON format | application/dns-json | Human-readable, convenient for debugging and API документацию |
# JSON format query (Google's DoH)
curl -s "https://dns.google/resolve?name=example.com&type=A" | python3 -m json.tool
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"Answer": [
{
"name": "example.com",
"type": 1,
"TTL": 3600,
"data": "93.184.216.34"
}
]
}DoH vs DoT vs Traditional DNS
| Feature | Traditional DNS | DoT (DNS over TLS) | DoH (DNS over HTTPS) |
|---|---|---|---|
| Port | 53 (UDP/TCP) | 853 (TCP) | 443 (TCP) |
| Encryption | None | TLS | TLS (via HTTPS) |
| Blockable | Yes (port 53) | Yes (port 853) | Difficult (blends with HTTPS) |
| Performance | Fastest (no encryption overhead) | Moderate | Moderate (HTTP/2 multiplexing helps) |
| Privacy | None | Query content hidden | Query content hidden + blends with traffic |
| Visibility | Full (queries visible) | Destination visible (port 853) | Destination visible (resolver IP) |
Major DoH Providers
| Provider | DoH URL | Notable Features |
|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query | Fastest, privacy-focused, no logging |
| https://dns.google/dns-query | Reliable, JSON API available | |
| Quad9 | https://dns.quad9.net/dns-query | Malware blocking, non-profit |
| NextDNS | https://dns.nextdns.io/dns-query | Customizable filtering, analytics |
Enabling DoH
Browser Configuration
Most modern browsers support DoH natively:
- Firefox: Settings → Privacy & Security → DNS over HTTPS → Max Protection
- Chrome: Settings → Security → Use secure DNS → Choose provider
- Edge: Settings → Privacy → Use secure DNS → Choose provider
- Safari: Supports DoH via configuration profiles on macOS/iOS
System-Level Configuration
# Using systemd-resolved (Linux)
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes
# Using dnscrypt-proxy
# /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['cloudflare', 'google']
listen_addresses = ['127.0.0.1:53']
doh_servers = trueImplications for Network Security
DoH creates tension between user privacy and network security operations:
Benefits
- Prevents DNS-based surveillance and censorship
- Eliminates DNS spoofing and manipulation attacks
- Protects against on-path attackers modifying DNS responses
- Makes Wi-Fi and public network usage more secure
Challenges
- Enterprise security teams lose visibility into DNS queries for threat detection
- Parental controls and content filtering that rely on DNS become less effective
- Malware can use DoH to bypass DNS-based security controls
- Debugging network issues becomes harder without DNS query visibility
- Split-horizon DNS (internal vs external resolution) may break
DoH and Web Monitoring
For web monitoring and uptime checking, DoH has practical implications:
- DNS resolution time — DoH adds TLS overhead but benefits from HTTP/2 connection reuse
- DNS propagation monitoring — DoH resolvers may cache differently from traditional resolvers
- Availability checks — if your monitoring uses DoH, it may not reflect the DNS experience of users who do not
- DNSSEC validation — DoH resolvers typically perform DNSSEC validation, adding a layer of authenticity
Summary
DNS over HTTPS is a significant privacy improvement for internet users, encrypting DNS queries that were previously sent in plaintext. While it creates challenges for enterprise network security and content filtering, it effectively prevents DNS surveillance, spoofing, and censorship. Major browsers and operating systems now support DoH natively, and adoption continues to grow. For web professionals, understanding DoH is important for accurate monitoring, debugging, and security planning.
Check your website right now
Check now →