Learn/Networking/Glossary/

What is DNS-over-HTTPS

DNS-over-HTTPS (DoH) encrypts DNS queries inside HTTPS so your ISP and network observers cannot see which domains you are looking up. It turns DNS from a plaintext protocol into an encrypted one.

What is the problem with regular DNS?

Traditional DNS sends queries and responses as plaintext UDP packets on port 53. Anyone on the network path can read them — your ISP, a coffee shop WiFi operator, or a government surveillance system. Even if you use TLS to encrypt your web traffic, the DNS lookup that happens before the connection reveals which domain you are visiting.

How does DoH work?

Instead of sending a DNS query as a plaintext UDP packet, DoH wraps it in an HTTPS request to a DoH resolver (like https://dns.cloudflare.com/dns-query or https://dns.google/dns-query). The query and response are encrypted by TLS, and they look like any other HTTPS traffic to network observers.

The DNS message format itself doesn't change — it's the same binary format defined in RFC 1035. DoH simply uses HTTPS as the transport instead of raw UDP.

Who supports it?

DoH is built into all major browsers:

  • Chrome — enabled by default, uses the OS DNS provider's DoH endpoint when available.
  • Firefox — enabled by default in the US, using Cloudflare as the default resolver.
  • Safari — supports DoH via system configuration.

Operating systems including Windows 11, macOS, iOS, and Android also support system-wide DoH configuration.

What about DNS-over-TLS?

DNS-over-TLS (DoT) is an alternative that encrypts DNS using TLS directly on port 853. The tradeoff: DoT runs on a dedicated port that firewalls can easily block, while DoH uses port 443 (the same as all HTTPS traffic) and is indistinguishable from normal web browsing.

Why it matters

DoH closes one of the most significant privacy gaps in internet communication. Without it, your browsing history is visible to anyone who can observe your DNS traffic — even when every other part of your connection is encrypted. Combined with Encrypted Client Hello, DoH makes passive surveillance of web browsing significantly harder.

Prerequisites

Related

This concept appears in

Referenced by