What Is DNS over HTTPS (DoH)? | NOC.org

Understanding DNS over HTTPS

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them inside standard HTTPS connections on port 443. Traditional DNS queries travel in plaintext over UDP port 53, meaning anyone on the network path — ISPs, Wi-Fi operators, or attackers — can see which domains you are looking up. DoH eliminates this visibility by wrapping DNS traffic in the same encryption used for regular web browsing.

The protocol was standardized in RFC 8484 (2018) and has since been adopted by major browsers and operating systems. It represents one of two main approaches to encrypted DNS, the other being DNS over TLS (DoT).

How DoH Works

DoH uses the standard HTTPS protocol to transport DNS queries and responses. The process works as follows:

• The client establishes a TLS-encrypted HTTPS connection to a DoH resolver (e.g., https://dns.example.com/dns-query).
• DNS queries are encoded in a binary DNS wire format and sent as HTTP POST requests (or GET requests with base64url-encoded queries).
• The resolver processes the query, performs the recursive lookup against authoritative DNS servers, and returns the answer as an HTTP response.
• The entire exchange is encrypted end-to-end using TLS, identical to how your browser secures web traffic.

Because DoH uses port 443 — the same port as all HTTPS traffic — it is virtually indistinguishable from normal web browsing at the network level. This is both its greatest strength and its most controversial characteristic.

Privacy and Security Benefits

The primary benefit of DoH is privacy. With plaintext DNS, your query history is exposed to every network hop between your device and the resolver. This data has been used for surveillance, advertising profiling, and man-in-the-middle attacks where responses are modified to redirect users to malicious sites.

DoH prevents these attacks by ensuring that DNS queries and responses cannot be read or tampered with in transit. It also protects against DNS hijacking, where an attacker on a local network intercepts queries and returns forged responses to redirect users to phishing sites or inject malware.

DoH vs. DoT vs. Plaintext DNS

All three protocols accomplish the same goal — resolving domain names to IP addresses — but they differ in how they handle security:

• Plaintext DNS (port 53): No encryption. Queries and responses are visible to any observer on the network. Still the most widely used protocol by default.
• DNS over TLS (port 853): Encrypts DNS traffic using TLS on a dedicated port. Provides strong privacy but is easily identified and can be blocked by network administrators since it uses a distinct port.
• DNS over HTTPS (port 443): Encrypts DNS traffic inside HTTPS. Harder to block because it blends in with regular web traffic, but also harder for network administrators to monitor or filter.

From a pure encryption standpoint, DoH and DoT offer equivalent security. The key difference is operational: DoT is easier to manage in enterprise environments because it can be specifically allowed or blocked, while DoH's use of port 443 makes it more resistant to network-level filtering.

Browser and OS Support

DoH has broad support across modern platforms. Firefox was the first major browser to enable DoH by default (using Cloudflare's resolver). Chrome, Edge, and Safari all support DoH as well, typically upgrading to an encrypted resolver if the user's configured DNS provider offers one. At the operating system level, Windows 11, macOS, iOS, and Android all provide native DoH support in their network settings.

Enterprise Considerations

For organizations that rely on DNS-based security controls — content filtering, threat blocking, or internal domain resolution — DoH can create challenges. When applications bypass the system's configured DNS resolver and use their own DoH endpoint, enterprise DNS policies may be circumvented entirely.

To address this, many organizations deploy their own internal DoH resolvers and configure endpoints to use them exclusively. Others use network policies to block known public DoH endpoints. The best approach depends on your security architecture, but the key is to ensure that encrypted DNS enhances your security posture through a managed DNS infrastructure rather than undermining it.