DNS over HTTPS (DoH): How It Works
4 min read
## The Privacy Gap in Traditional DNS
Every time you type a URL, your device sends a DNS (Domain Name System) query to resolve the hostname into an IP Address. Traditionally this query travels as a plaintext UDP packet — visible to your ISP, any network middlebox, and anyone monitoring the wire. Even if the website itself uses HTTPS, your DNS lookup reveals which sites you visit, to whom, and how often.
DNS-over-HTTPS (DoH) (DoH) wraps DNS queries inside standard HTTPS connections, making them indistinguishable from ordinary web traffic to anyone observing the network. RFC 8484, published in 2018, standardizes the protocol. It has since been implemented in Firefox, Chrome, Edge, iOS, Android, and Windows 11.
## How DoH Works at the Protocol Level
A DoH client sends DNS queries as HTTP/2 (or HTTP/3) POST or GET requests to a DoH resolver endpoint over port 443. The DNS message is encoded either as a raw binary DNS wire format (`application/dns-message` content type) or as JSON (`application/dns-json`).
A GET request example:
```
GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
Accept: application/dns-message
```
The base64url-encoded `dns` parameter is a standard DNS query packet for `www.example.com` type A. The server responds with a standard DNS response body, also in wire format, over the same HTTPS connection.
Because DoH uses port 443 and looks like any HTTPS traffic, it bypasses DNS-based filtering appliances, captive portals, and passive monitoring. This is both its privacy strength and the source of enterprise concern.
## Major DoH Resolvers
| Provider | Endpoint | Notable Feature |
|---|---|---|
| Cloudflare | `https://cloudflare-dns.com/dns-query` | No logging, Tor variant |
| Google | `https://dns.google/dns-query` | Anycast, fast globally |
| NextDNS | `https://dns.nextdns.io/` | Per-account filtering |
| Quad9 | `https://dns.quad9.net/dns-query` | Malware blocking |
| AdGuard | `https://dns.adguard.com/dns-query` | Ad blocking built in |
Each resolver has a different privacy policy regarding query logging, data retention, and sharing. "No logging" claims vary in specificity — read the actual privacy policy rather than the marketing headline.
## Browser-Level vs. OS-Level DoH
**Browser-level DoH** (Firefox, Chrome, Edge) means the browser maintains its own encrypted DNS stack independent of the operating system. Firefox calls this "Trusted Recursive Resolver" (TRR). When enabled, the browser sends DoH queries directly to the configured endpoint, completely bypassing the OS resolver. This works even on networks where the OS is using an ISP-assigned resolver.
Firefox's DoH mode options:
- **Off**: Standard DNS
- **Default** (mode 2): DoH with plaintext fallback
- **Increased** (mode 3): DoH only, no fallback
- **Max** (mode 5): DoH only, error if unavailable
**OS-level DoH** (Windows 11 Encrypted DNS, macOS 14, Android Private DNS) routes all DNS queries from all applications through an encrypted resolver. This is more comprehensive since it covers apps that do not use the system's HTTP stack, but it requires OS support and correct configuration.
## Testing DoH in Practice
You can test DoH directly with `curl`:
```bash
# Query via Cloudflare DoH (wire format)
curl -sH 'accept: application/dns-json' \
'https://cloudflare-dns.com/dns-query?name=example.com&type=A' | jq .
# Query via Google DoH (JSON format)
curl -sH 'accept: application/dns-json' \
'https://dns.google/resolve?name=example.com&type=MX' | jq .
# Verify your browser is using DoH
# Visit: https://1.1.1.1/help (Cloudflare's DoH check page)
# Or: https://browserleaks.com/dns
```
## Impact on DNS Cache and TTL
DoH resolvers respect TTL (Time To Live) values exactly as traditional DNS does. The encrypted transport layer does not change caching semantics. However, because DoH typically routes through large public resolvers rather than ISP-local resolvers, the cache hit rate profile is different. Cloudflare's resolver serves millions of users globally, so popular domains are almost always cache-warm, reducing latency for common lookups.
For CDN (Content Delivery Network) providers and services using Authoritative DNS Server with short TTLs for geo-routing, DoH can sometimes cause suboptimal routing because the public DoH resolver's IP Address may be geographically distant from the end user. This is the same issue as EDNS Client Subnet (ECS) handling — some DNS-over-HTTPS (DoH) resolvers forward ECS, others do not.
## Enterprise and Network Administrator Concerns
DoH creates a genuine tension with enterprise network management. Organizations use DNS-based filtering to block malware, enforce acceptable use policies, and comply with regulations. When browsers bypass the corporate resolver with DoH, these controls are circumvented.
Enterprise mitigations include:
- **Canary domain**: RFC 7686 defines a special domain. If `use-application-dns.net` resolves with NXDOMAIN, Firefox interprets this as "DoH not welcome on this network" and disables browser DoH. Enterprises can configure their internal DNS to return NXDOMAIN for this domain.
- **Block DoH endpoints**: Firewall rules blocking known DoH resolver IPs (impractical long-term as endpoints multiply).
- **Proxy DoH traffic**: Intercept HTTPS traffic at a corporate proxy and redirect DoH to an internal resolver.
## DoH vs. DNSSEC: Complementary, Not Competing
A common misconception is that DoH replaces DNSSEC. They solve different problems. DoH protects the privacy of your DNS queries in transit — preventing eavesdropping by your ISP or local network. DNSSEC ensures the answers you receive are authentic — preventing cache poisoning and spoofing by DNS Spoofing (Cache Poisoning) attackers. You can and should use both: DoH for transport privacy, DNSSEC for data integrity.
See also DNS over TLS (DoT): Privacy-First Resolution for a comparison with the alternative encrypted DNS protocol, and DNSSEC Deep Dive: Signing, Validation, and Troubleshooting for the authentication layer. For understanding DNS Propagation behavior with DoH resolvers, see DNS Performance Optimization at Scale.
DNS Record Helper