DNS over HTTPS: Securing the Internet's Foundation

Introduction

Every time you type a website address into your browser, an invisible conversation happens before any content loads. Your device asks the internet, “Where can I find this website?” This question—and its answer—has traditionally been sent in plain text, visible to anyone monitoring your network. It’s like shouting your destination across a crowded room before taking a private taxi. DNS over HTTPS (DoH) fundamentally changes this dynamic by encrypting these queries, wrapping them in the same secure protocol that protects your passwords and credit card information. What began as a privacy enhancement has evolved into a contentious technology that challenges decades of network management practices, raises questions about centralization, and forces us to reconsider the balance between privacy and control. This exploration examines how DoH works, why it emerged, the benefits it delivers, and the complex challenges it introduces to the internet ecosystem.

Understanding DNS: The Internet’s Address Book

Before diving into DoH, we need to understand what it’s protecting. The Domain Name System (DNS) is one of the internet’s foundational protocols, translating human-readable domain names like “example.com” into IP addresses like “93.184.216.34” that computers use to communicate. Traditional DNS operates over UDP port 53 (or TCP for larger responses), sending queries and responses in plain text. When you visit a website, your device sends a DNS query to a resolver—typically provided by your ISP or a public service like Google DNS or Cloudflare. The resolver either returns a cached answer or queries authoritative DNS servers to find the correct IP address.

📝Traditional DNS Flow

User types URL: Browser needs IP address for domain
Query sent: Device sends DNS query to configured resolver (port 53, plain text)
Resolver searches: Checks cache or queries authoritative servers
Response returned: IP address sent back to device (plain text)
Connection established: Browser connects to IP address Every step of this process is visible to network observers.

The Privacy Problem

Traditional DNS’s lack of encryption creates several privacy and security vulnerabilities:

Surveillance: ISPs, governments, and network operators can see every domain you query
Manipulation: Attackers can intercept and modify DNS responses (DNS spoofing)
Censorship: Network operators can block access by filtering DNS queries
Tracking: DNS queries reveal browsing patterns even when websites use HTTPS
Data leakage: DNS queries expose information about internal network structure While HTTPS encrypts the content of your web browsing, DNS queries remain visible, creating a significant privacy gap. An observer can’t see what you’re doing on a website, but they know exactly which websites you’re visiting.

How DNS over HTTPS Works

DNS over HTTPS addresses these vulnerabilities by tunneling DNS queries through HTTPS connections, the same encryption protocol that secures web traffic. This seemingly simple change has profound implications for privacy and network architecture.

Technical Architecture

DoH encapsulates DNS queries within HTTPS requests, typically using HTTP/2 or HTTP/3 for efficiency. Instead of sending queries to port 53, DoH clients send HTTPS POST or GET requests to a DoH server’s endpoint (usually port 443).

📝DoH Request Flow

Traditional DNS queries are sent in plain text to port 53, making them visible to network observers. DoH queries are encrypted HTTPS requests to port 443, hiding the DNS queries within normal web traffic. Traditional DNS Query:

Client → DNS Resolver (port 53, UDP/TCP)
Query: "What is the IP for example.com?"
Response: "93.184.216.34" (all visible to network)

DoH Query:

Client → DoH Server (port 443, HTTPS)
Encrypted POST request containing DNS query
Encrypted response containing IP address
(Network sees only encrypted HTTPS traffic)

Protocol Specifications

DoH is standardized in RFC 8484, defining how DNS queries are encoded in HTTP requests and responses. The protocol supports two methods: POST Method:

DNS query encoded in request body
Content-Type: application/dns-message
Binary DNS message format
Preferred for privacy (no query in URL) GET Method:
DNS query encoded in URL parameter
Query parameter: ?dns=<base64url-encoded-query>
May be cached by HTTP intermediaries
Useful for simple queries

💡Wire Format Compatibility

DoH uses the same binary DNS message format as traditional DNS, making it easy for existing DNS software to support DoH by adding an HTTPS wrapper. The DNS protocol itself doesn’t change—only the transport mechanism.

DoH vs. DNS over TLS (DoT)

DoH isn’t the only encrypted DNS protocol. DNS over TLS (DoT), standardized in RFC 7858, also encrypts DNS queries but uses a dedicated port (853) and TLS directly rather than HTTPS.

Feature	DoH (Port 443)	DoT (Port 853)	Traditional DNS (Port 53)
Encryption	Yes (HTTPS)	Yes (TLS)	No
Port	443 (HTTPS)	853 (dedicated)	53 (UDP/TCP)
Visibility	Looks like web traffic	Clearly identifiable	Clearly identifiable
Blocking	Difficult (blocks all HTTPS)	Easy (block port 853)	Easy (block port 53)
Network control	Limited	Possible	Full
Caching	HTTP caching possible	No HTTP caching	DNS caching only
The key difference: DoH traffic is indistinguishable from regular HTTPS web traffic, making it nearly impossible to block without blocking all HTTPS. DoT uses a dedicated port, making it easy to identify and control.

Drivers: Why DoH Emerged

The push for encrypted DNS didn’t happen in a vacuum. Several converging factors created both the need and the momentum for DoH adoption.

Privacy Concerns and Surveillance

The Snowden revelations in 2013 exposed the extent of mass surveillance programs, including DNS query monitoring. This sparked a broader privacy movement in the tech industry, leading to widespread HTTPS adoption. However, DNS remained an unencrypted weak point, undermining the privacy gains from HTTPS. Privacy advocates argued that DNS queries reveal sensitive information about users’ interests, health concerns, political views, and personal relationships. Even with HTTPS protecting website content, DNS queries create a detailed map of online behavior.

⚠️🕵️ Surveillance Capabilities

What DNS queries reveal:

Medical conditions (queries for health websites)
Political affiliations (news sites, campaign sites)
Financial status (banking sites, investment platforms)
Personal relationships (dating sites, social networks)
Geographic location (local business queries)
Work patterns (time-based query patterns) This metadata is often more valuable than content for profiling users.

ISP Behavior and Monetization

Internet Service Providers have increasingly monetized DNS data through various means:

Advertising: Injecting ads into DNS error pages
Tracking: Selling DNS query data to advertisers
Redirection: Redirecting failed queries to search pages with ads
Analytics: Building user profiles from browsing patterns These practices, while often disclosed in terms of service, raised concerns about user privacy and consent. DoH removes ISPs’ visibility into DNS queries, eliminating these monetization opportunities and sparking significant opposition from ISPs.

Censorship and Manipulation

Governments and network operators worldwide use DNS filtering for censorship, blocking access to websites by preventing DNS resolution. While some filtering serves legitimate purposes (blocking malware, child exploitation), it’s also used to suppress political dissent and control information access. DNS manipulation attacks (DNS spoofing, cache poisoning) can redirect users to malicious sites or block access to legitimate resources. These attacks exploit DNS’s lack of authentication and encryption. DoH makes DNS filtering and manipulation significantly more difficult, shifting control from network operators to DNS resolver operators and application developers.

Browser Vendor Initiatives

Major browser vendors—particularly Mozilla and Google—championed DoH as part of broader privacy initiatives. Mozilla enabled DoH by default in Firefox (2020), while Chrome added DoH support with user control. These decisions brought DoH to hundreds of millions of users, accelerating adoption despite opposition from ISPs and network administrators. Browser vendors argued that users deserve privacy by default and shouldn’t need technical expertise to protect their DNS queries. Critics countered that browsers were overstepping their role and undermining network management.

Benefits: The Case for DoH

DoH delivers tangible privacy and security benefits that justify its adoption despite the controversies it generates.

Enhanced Privacy

DoH’s primary benefit is preventing DNS query surveillance by network intermediaries. ISPs, public WiFi operators, and other network observers can no longer see which domains users are querying. This privacy extends to:

Home networks: Roommates and family members can’t monitor each other’s browsing
Public WiFi: Coffee shop operators can’t track customer browsing
Corporate networks: Employers have reduced visibility into employee browsing (controversial)
ISP monitoring: Service providers can’t build profiles from DNS data

💡Privacy Layers

Without DoH:

ISP sees: DNS queries (domains visited)
Website sees: Your IP address and browsing behavior With DoH:
ISP sees: Encrypted HTTPS traffic to DoH server, then encrypted traffic to destination
DoH provider sees: DNS queries (shifted trust)
Website sees: Your IP address and browsing behavior DoH doesn’t provide complete anonymity—it shifts trust from ISPs to DoH providers.

Protection Against Manipulation

Encrypting DNS queries prevents man-in-the-middle attacks that modify DNS responses. Attackers on public WiFi networks, compromised routers, or malicious ISPs can’t redirect users to phishing sites or block access to legitimate resources through DNS manipulation. DNSSEC (DNS Security Extensions) provides cryptographic authentication of DNS responses, but adoption has been slow and it doesn’t provide confidentiality. DoH complements DNSSEC by adding encryption, creating a more complete security solution.

Circumventing Censorship

For users in countries with internet censorship, DoH provides a tool to bypass DNS-based blocking. By using DoH servers outside the censoring country, users can access blocked websites without sophisticated circumvention tools like VPNs.

📝Censorship Resistance

Traditional DNS blocking:

Government controls local DNS resolvers
Blocks queries for banned domains
Users see “domain not found” errors With DoH:
Users configure browsers to use foreign DoH servers
DNS queries encrypted and sent to external servers
Blocking requires blocking all HTTPS (impractical) This capability makes DoH politically controversial in countries with strict internet controls.

Improved Security Posture

DoH reduces the attack surface for DNS-based threats:

DNS spoofing: Encrypted queries can’t be intercepted and modified
Cache poisoning: Harder to inject false DNS records
DNS tunneling detection: Encrypted traffic makes malicious DNS tunneling less detectable (double-edged sword)
Credential theft: Prevents attackers from redirecting login pages Organizations using DoH with trusted resolvers gain protection against DNS-based attacks that bypass traditional security controls.

Performance Optimizations

Modern DoH implementations leverage HTTP/2 and HTTP/3 features for performance:

Multiplexing: Multiple DNS queries over single connection
Connection reuse: Reduces latency from connection establishment
HTTP caching: Intermediate caches can store responses (with privacy considerations)
0-RTT: HTTP/3 enables zero round-trip time for repeat queries

Challenges and Controversies

DoH’s benefits come with significant challenges that have made it one of the most controversial internet protocols in recent years.

Network Management and Visibility

Network administrators rely on DNS visibility for legitimate purposes:

Security monitoring: Detecting malware communication, data exfiltration
Content filtering: Blocking malicious sites, enforcing acceptable use policies
Troubleshooting: Diagnosing network issues, identifying misconfigured systems
Compliance: Meeting regulatory requirements for content filtering DoH breaks these capabilities by encrypting DNS queries, forcing organizations to implement alternative monitoring approaches or block DoH entirely.

⚠️Enterprise Concerns

Lost capabilities with DoH:

DNS-based threat detection (malware domains, C2 servers)
Parental controls and content filtering
Network usage analytics
Compliance with data retention regulations
Troubleshooting DNS resolution issues Mitigation strategies:
Deploy internal DoH servers with logging
Use endpoint security agents for visibility
Implement TLS inspection (controversial)
Block external DoH servers (arms race)

Centralization Concerns

Traditional DNS is highly distributed, with thousands of resolvers operated by ISPs, organizations, and public services. DoH adoption has concentrated DNS traffic among a few large providers:

Cloudflare (1.1.1.1): One of the most popular DoH providers
Google (8.8.8.8): Massive DoH user base
Quad9: Privacy-focused alternative
Browser defaults: Mozilla partnered with Cloudflare, concentrating traffic This centralization raises concerns:
Single points of failure: Outages affect millions of users
Surveillance risk: Concentrated data creates attractive surveillance targets
Market power: Few providers control critical infrastructure
Geopolitical implications: DNS traffic flows through specific jurisdictions

📝🏛️ Centralization vs. Privacy Trade-off

Distributed DNS (traditional):

Many small operators (ISPs, local resolvers)
Queries visible to local network operators
Resilient to single-provider failures
Easier to regulate locally Centralized DoH:
Few large providers
Queries hidden from local networks but visible to DoH providers
Vulnerable to provider outages
Harder to regulate (cross-border) Neither model is clearly superior—each involves different trust assumptions.

Split-Horizon DNS and Internal Networks

Many organizations use split-horizon DNS, where internal domain names resolve differently on the corporate network than on the public internet. Internal resources like “intranet.company.local” only resolve on the company network. DoH breaks split-horizon DNS when clients use external DoH servers. Internal domain queries go to public resolvers that can’t resolve them, breaking access to internal resources. Organizations must either:

Block external DoH: Prevents employees from using public DoH servers
Deploy internal DoH: Requires infrastructure investment and configuration
Use discovery mechanisms: Implement DoH server discovery protocols (still maturing)

Performance Overhead

While DoH can leverage HTTP optimizations, it also introduces overhead:

Connection establishment: HTTPS handshake adds latency for first query
Encryption overhead: CPU cost for encrypting/decrypting queries
HTTP framing: Additional bytes compared to raw DNS
Connection management: Maintaining persistent connections For high-volume DNS users, this overhead can be measurable. However, connection reuse and HTTP/2 multiplexing mitigate much of the impact.

Legal and Regulatory Challenges

DoH complicates legal frameworks around lawful intercept, content filtering, and data retention:

Lawful intercept: Law enforcement loses visibility into DNS queries
Content filtering mandates: Countries requiring ISP-level filtering can’t enforce it
Data retention: Regulations requiring DNS query logging become harder to enforce
Jurisdiction: DNS traffic flows to providers in different legal jurisdictions Some countries have considered or implemented restrictions on DoH to maintain regulatory control. The UK’s Internet Watch Foundation expressed concerns about DoH undermining child protection efforts.

Implementation Approaches

Organizations and users have several options for implementing DoH, each with different trade-offs.

Browser-Based DoH

Modern browsers include built-in DoH support, allowing users to enable encrypted DNS without system-level changes: Firefox:

DoH enabled by default in some regions
Uses Cloudflare or NextDNS by default
User can configure custom DoH servers
Respects enterprise policies to disable DoH Chrome/Edge:
DoH enabled if system DNS resolver supports it
Upgrades existing DNS to DoH when available
Respects system DNS configuration
Can be disabled via enterprise policies Safari:
Supports DoH via system-level configuration
No built-in DoH server defaults
Requires manual configuration or profiles

💡Browser DoH Configuration

Advantages:

Easy for users to enable
No system-level changes required
Per-browser control Disadvantages:
Only protects browser traffic
Other applications still use traditional DNS
May conflict with network policies

System-Level DoH

Operating systems increasingly support DoH at the system level, protecting all applications: Windows 11:

Native DoH support in DNS client
Configure via Settings or Registry
Supports fallback to traditional DNS macOS:
DoH support via configuration profiles
Requires manual setup or MDM deployment
System-wide protection Linux:
systemd-resolved supports DoH
Various third-party DoH clients available
Requires configuration Android/iOS:
Private DNS settings support DoH
VPN-based DoH apps available
Per-network configuration possible

Enterprise DoH Deployment

Organizations deploying DoH face unique requirements:

💻🏢 Enterprise DoH Strategy

Option 1: Internal DoH Servers

Deploy DoH servers within corporate network
Maintain DNS visibility and control
Support split-horizon DNS
Requires infrastructure investment Option 2: Managed DoH Services
Use enterprise DoH providers (Cisco Umbrella, Cloudflare for Teams)
Centralized management and logging
Maintains security visibility
Subscription costs Option 3: Hybrid Approach
Internal DoH for corporate devices
Allow external DoH for BYOD
Policy-based routing
Complex configuration

DoH Server Selection Criteria

Choosing a DoH provider involves evaluating several factors:

Criteria	Considerations
Privacy policy	Logging practices, data retention, third-party sharing
Performance	Latency, reliability, geographic distribution
Security	Malware blocking, threat intelligence integration
Filtering	Content filtering options (parental controls, malware)
Compliance	Data residency, regulatory compliance
Cost	Free vs. paid tiers, enterprise pricing
Transparency	Public audits, transparency reports

Real-World Adoption and Impact

DoH adoption has grown significantly since 2018, with measurable impacts on internet privacy and network management.

Adoption Statistics

Firefox: DoH enabled by default for US users (2020), expanding to other regions
Chrome: DoH support in 2020, automatic upgrade when available
Cloudflare: Handles billions of DoH queries daily
Google Public DNS: Significant DoH traffic growth
Enterprise: Mixed adoption, many organizations blocking external DoH

Case Studies

💻Mozilla's DoH Rollout

Approach:

Gradual rollout starting in US (2020)
Partnership with Cloudflare as default provider
Trusted Recursive Resolver (TRR) program for provider vetting
Enterprise policy overrides for corporate networks Results:
Millions of users protected by default
Significant pushback from ISPs and network operators
Forced development of enterprise DoH solutions
Raised awareness of DNS privacy issues

💻Cloudflare 1.1.1.1

Offering:

Free public DoH resolver
Privacy-focused (minimal logging)
High performance (global anycast network)
Malware blocking variant (1.1.1.2) Impact:
Became one of the largest DoH providers
Demonstrated viability of privacy-focused DNS
Raised concerns about centralization
Influenced other providers to offer DoH

Impact on Network Security

Security teams report mixed experiences with DoH: Positive impacts:

Reduced DNS-based attacks from external networks
Protection against ISP-level manipulation
Improved privacy for remote workers Negative impacts:
Loss of DNS-based threat detection
Difficulty enforcing content policies
Increased complexity in security monitoring
Need for alternative detection methods Organizations have adapted by implementing endpoint-based security, TLS inspection (controversial), and internal DoH servers with logging.

Future Directions

DoH continues to evolve, with several trends shaping its future development.

Discovery and Configuration

Current DoH deployment requires manual configuration or browser defaults. Emerging standards aim to improve this:

Discovery of Designated Resolvers (DDR): RFC 9462 enables automatic discovery of DoH servers
DHCP/RA options: Network-provided DoH server configuration
DNS SVCB records: Advertise DoH support via DNS itself
Encrypted ClientHello (ECH): Complements DoH by encrypting SNI These mechanisms enable seamless DoH adoption while respecting network policies.

Oblivious DoH (ODoH)

Oblivious DoH (RFC 9230) addresses DoH’s trust concentration problem by separating query visibility from IP address visibility:

sequenceDiagram participant Client participant Proxy participant Target as DoH Server Client->>Client: Encrypt query with Target's public key Client->>Proxy: Send encrypted query Note over Client,Proxy: Proxy sees Client IP but not query Proxy->>Target: Forward encrypted query Note over Proxy,Target: Target sees query but not Client IP Target->>Target: Decrypt and resolve query Target->>Proxy: Send encrypted response Proxy->>Client: Forward encrypted response Client->>Client: Decrypt response

📝ODoH Privacy Model

Traditional DoH:

DoH provider sees both your IP address and queries
Single point of trust Oblivious DoH:
Proxy sees your IP but not queries (encrypted)
Target sees queries but not your IP (from proxy)
Requires collusion to link IP and queries
Stronger privacy guarantees ODoH is still early in adoption but represents the next evolution in DNS privacy.

Integration with Zero Trust Architecture

DoH is increasingly integrated into Zero Trust security models:

Identity-aware DNS: DoH queries tied to user/device identity
Policy enforcement: DNS policies based on user context
Threat intelligence: Real-time threat feeds integrated with DoH
Conditional access: DNS resolution based on security posture This integration enables security without sacrificing privacy.

Regulatory Evolution

Governments and regulatory bodies are developing frameworks for encrypted DNS:

Lawful access: Mechanisms for law enforcement access to DoH logs
Content filtering: Requirements for DoH providers to implement filtering
Data localization: Requirements for DNS data to stay within borders
Transparency: Mandatory reporting of DoH provider practices These regulations will shape how DoH evolves and which providers operate in different jurisdictions.

Performance Optimizations

Ongoing work to reduce DoH overhead:

HTTP/3 adoption: QUIC-based transport reduces latency
0-RTT resumption: Eliminates handshake latency for repeat connections
Adaptive TTLs: Intelligent caching based on query patterns
Prefetching: Predictive DNS resolution for likely queries

Conclusion

DNS over HTTPS represents a fundamental shift in internet privacy, encrypting a protocol that has been visible for decades. By wrapping DNS queries in HTTPS, DoH prevents surveillance, manipulation, and censorship by network intermediaries. The benefits are clear: enhanced privacy, protection against attacks, and circumvention of DNS-based blocking. However, DoH’s adoption has been contentious, challenging established network management practices and raising concerns about centralization, enterprise security, and regulatory control. Network administrators lose visibility they’ve relied on for security monitoring and troubleshooting. DNS traffic concentrates among a few large providers, creating new risks. Organizations must adapt their security strategies to maintain protection without DNS visibility.

graph TB A["DoH Adoption"] B["Privacy Benefits"] C["Security Challenges"] D["Future Evolution"] A --> B A --> C A --> D B --> B1["ISP Surveillance Prevention"] B --> B2["Manipulation Protection"] B --> B3["Censorship Resistance"] B --> B4["Attack Surface Reduction"] C --> C1["Network Visibility Loss"] C --> C2["Centralization Risks"] C --> C3["Enterprise Management"] C --> C4["Regulatory Compliance"] D --> D1["Oblivious DoH"] D --> D2["Discovery Standards"] D --> D3["Zero Trust Integration"] D --> D4["Regulatory Frameworks"] style A fill:#e3f2fd,stroke:#1976d2,stroke-width:3px style B fill:#e8f5e9,stroke:#388e3c style C fill:#fff3e0,stroke:#f57c00 style D fill:#f3e5f5,stroke:#7b1fa2

The debate around DoH reflects broader tensions in internet governance: privacy versus control, centralization versus distribution, user autonomy versus network management. There’s no perfect solution—each approach involves trade-offs and different trust assumptions. For individuals, DoH offers meaningful privacy protection with minimal effort. Browser-based DoH or system-level configuration provides immediate benefits, particularly on untrusted networks. The shift of trust from ISPs to DoH providers is generally favorable, as DoH providers typically have stronger privacy commitments and face more public scrutiny. For organizations, DoH requires careful consideration. Blocking external DoH and deploying internal DoH servers maintains security visibility while providing encryption benefits. Managed DoH services offer a middle ground, providing encryption with enterprise features like logging and filtering. The key is adapting security strategies to work without relying solely on DNS visibility. Looking forward, DoH will continue evolving. Oblivious DoH addresses centralization concerns by separating query visibility from IP address visibility. Discovery mechanisms will enable seamless DoH adoption while respecting network policies. Integration with Zero Trust architectures will enable security without sacrificing privacy. Regulatory frameworks will emerge, shaping how DoH operates in different jurisdictions. The broader implication is clear: the internet is moving toward encryption by default. DNS was one of the last major protocols transmitted in plain text. DoH closes this gap, extending the privacy protections of HTTPS to the foundational layer of internet naming. This shift is irreversible—the privacy benefits are too significant, and the technology is too widely deployed to roll back. For those evaluating DoH, the question isn’t whether to adopt encrypted DNS, but how to do so in a way that balances privacy, security, and operational requirements. The technology is mature, widely supported, and increasingly default. Understanding its implications and implementing it thoughtfully will be essential for anyone managing networks or concerned about internet privacy. The future of DNS is encrypted. DoH is building that future, one query at a time.

Try It Yourself

Want to see DoH in action? Try our DNS over HTTPS Lookup Tool to perform encrypted DNS queries through Cloudflare, Google, or Quad9. Query multiple record types and see the privacy benefits firsthand.

References and Resources

RFC 8484: DNS Queries over HTTPS (DoH) - IETF RFC 8484
RFC 7858: Specification for DNS over Transport Layer Security (DoT) - IETF RFC 7858
RFC 9230: Oblivious DNS over HTTPS - IETF RFC 9230
RFC 9462: Discovery of Designated Resolvers (DDR) - IETF RFC 9462
Cloudflare 1.1.1.1: https://1.1.1.1/
Google Public DNS: https://developers.google.com/speed/public-dns
Quad9: https://www.quad9.net/
Mozilla Trusted Recursive Resolver Program: https://wiki.mozilla.org/Security/DOH-resolver-policy