Advanced Internet Technologies Inc. Advanced Internet Technologies Inc. Advanced Internet Technologies Inc.

Register Login

DNS over HTTPS

Dec 1, 2022, 12:00 AM
DNS over HTTPS

What is DNS over HTTPS (DoH)

DNS over HTTPS (DoH) is a security protocol designed to improve the privacy and integrity of DNS resolution by encrypting DNS queries using the HTTPS protocol.

"Encrypting DNS traffic closes one of the last unprotected windows into users' online activity." – Mozilla

How Does DoH Work?

The core idea behind DoH is simple: take a regular DNS query and send it over an HTTPS connection instead of the traditional DNS protocol.
To do this, a device or application formats the DNS query in a binary or base64-encoded form and sends it to a DoH server using an HTTP GET or POST request.
The server then processes the request, performs the DNS resolution, and sends the result back over the same HTTPS connection.
Because this is all done within an encrypted channel, observers cannot see or tamper with the query.
This is what differentiates DoH from DNS-over-TLS (DoT), which encrypts DNS over a separate port (853) but does not blend into normal HTTPS traffic.

Basic DoH flow:

  1. User types example.com in their browser.
  2. Browser checks if the domain is cached locally.
  3. If not, it creates a DNS query and sends it via HTTPS to a DoH resolver.
  4. The resolver responds with the corresponding IP address.
  5. The browser connects to the site as usual.

DoH servers are typically provided by public DNS providers, such as:

  • Cloudflare: https://cloudflare-dns.com/dns-query
  • Google DNS: https://dns.google/dns-query
  • NextDNS: https://dns.nextdns.io
  • Quad9: https://dns.quad9.net/dns-query

One of the strengths of DoH is application-level control.
For example, a browser can use DoH independently of the operating system's DNS settings.
This is important in environments where the OS might be using insecure or untrusted DNS configurations.
System-wide DoH configuration is also possible on modern operating systems.
This allows all apps to benefit from encrypted DNS traffic, not just browsers.

DoH supports both IPv4 and IPv6 queries, as well as standard record types like A, AAAA, MX, TXT, and others.
It also supports DNSSEC-validated results if the upstream resolver provides them.
The protocol's use of HTTPS also enables connection reuse, compression, and performance optimizations.
DoH clients can maintain a persistent HTTP/2 or HTTP/3 connection to reduce latency and packet overhead.
This makes DoH efficient enough for both desktop and mobile usage.

However, DoH can be blocked or rate-limited by network firewalls, especially in corporate or managed environments.
To prevent this, some implementations use fallback strategies or alternate endpoints.
DNS providers can also offer load balancing and filtering features in their DoH implementations.
For developers, using DoH requires parsing JSON or binary DNS messages inside web-compatible code.
Popular libraries like dns-over-https, dns.js, or even raw fetch APIs can be used to build DoH clients.

In summary, DoH works by wrapping DNS queries in secure HTTPS traffic.
It combines the structure of DNS with the transport security of the modern web.
This provides a reliable way to resolve domain names privately and securely.