DNS over HTTPS: Encrypt Your DNS Queries

Protect your browsing privacy with DNS over HTTPS (DoH).

Traditional DNS transmits queries in clear text on UDP port 53. This means your ISP, network administrator, or any attacker on the path can see which sites you're visiting, even if those sites use HTTPS. DNS over HTTPS (DoH) solves this by encapsulating DNS queries in encrypted HTTPS connections, making them indistinguishable from normal web traffic.

Since 2018, DoH has rapidly deployed: Firefox, Chrome, Edge and Safari support it natively. Windows 11 and latest iOS/Android versions integrate it at the system level. Major public resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9) all offer DoH endpoints.

DoH is not without controversy: it centralizes DNS toward a few big players, can complicate parental controls and enterprise security, and some see it as a threat to network sovereignty. Understanding its advantages and limitations will help you decide if it suits your use case.

How DoH Works

DNS over HTTPS encapsulates the DNS protocol in HTTPS:

  • HTTPS transport: DNS queries are sent via HTTP/2 or HTTP/3 on port 443, encrypted by TLS. Impossible to distinguish a DoH query from a normal web visit.
  • Query format: Queries can be sent via GET (DNS wire format base64 encoded in URL) or POST (binary body). The server responds with standard DNS format.
  • DoH resolvers: Specialized servers expose HTTPS endpoints (e.g., https://cloudflare-dns.com/dns-query). They receive the encrypted query, resolve DNS, and return the response.
  • Certificate validation: Like any HTTPS connection, the client verifies the DoH server's certificate. This prevents man-in-the-middle attacks on DNS resolution itself.

DNS over HTTPS Advantages

DoH brings several significant benefits:

  • Privacy: Your ISP can no longer see which domains you're resolving. Protects against mass surveillance and DNS-based profiling.
  • Censorship circumvention: ISP or government DNS filters can't selectively block domains if you use an external DoH resolver. Traffic looks like normal HTTPS.
  • Integrity: TLS protects against response modification in transit. Combined with DNSSEC, you have complete protection of authenticity and integrity.
  • Performance: HTTP/2 allows query multiplexing on a single connection. After initial establishment, subsequent queries are faster than classic DNS.

Configure DoH on Your Devices

Here's how to enable DoH on your platform:

  1. Browsers (Firefox, Chrome, Edge): In network or security settings, enable "Secure DNS" or "DNS over HTTPS" and choose a provider (Cloudflare, Google, NextDNS, etc.).
  2. Windows 11: Settings > Network & Internet > [Your connection] > DNS. Select a known DNS with DoH, Windows will enable it automatically.
  3. iOS / macOS: Install a DoH configuration profile (provided by Cloudflare, NextDNS, etc.) or use an app like Cloudflare's 1.1.1.1.
  4. Android: Settings > Network > Private DNS. Enter the DoT server hostname (Android prefers DoT but also supports DoH via apps).

DoH Queries in Practice

Here's how to test and use DoH manually:

# DoH query with curl (GET method)
$ curl -s -H "accept: application/dns-json" \
    "https://cloudflare-dns.com/dns-query?name=example.com&type=A"
{
  "Status": 0,
  "Answer": [
    {"name": "example.com", "type": 1, "TTL": 3600, "data": "93.184.216.34"}
  ]
}

# DoH query with curl (POST method, wire format)
$ echo -n "q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE=" | base64 -d | \
    curl -s -H "content-type: application/dns-message" \
    --data-binary @- https://cloudflare-dns.com/dns-query | xxd

# Popular DoH endpoints
# Cloudflare: https://cloudflare-dns.com/dns-query
# Google:     https://dns.google/dns-query
# Quad9:      https://dns.quad9.net/dns-query
# NextDNS:    https://dns.nextdns.io/dns-query

# Test if DoH is working via Firefox
about:networking#dns
# Shows "TRR" (Trusted Recursive Resolver) if DoH active

# Verify DoH is working
# https://1.1.1.1/help (Cloudflare)
# https://dnsleaktest.com/

DoH queries are simple HTTPS requests with a specific content-type. JSON format (dns-json) is more readable for debugging, wire format (dns-message) is more compact and used by real clients.

DoH Best Practices

Use DoH effectively while understanding its limits:

  • Resolver choice: Choose a trusted resolver with clear privacy policy. Cloudflare and Quad9 commit to not logging IPs. Avoid centralizing on a single player.
  • DoH + DNSSEC: DoH protects transport, DNSSEC protects content. Use both for complete security. Verify your DoH resolver validates DNSSEC.
  • Enterprise: caution: DoH can bypass your security DNS filters. Consider an internal DoH resolver or group policies to control browser settings.
  • DNS leak test: After configuration, use dnsleaktest.com to verify all your queries go through your chosen DoH resolver.

DoH Activation Checklist

  • Trusted DoH resolver selected
  • DoH enabled at browser or system level
  • Operation verified (provider test page)
  • DNS leak test performed
  • DNSSEC validation enabled on resolver
  • Policy compatible with needs (parental control, enterprise)

FAQ - DNS over HTTPS

What's the difference between DoH and DoT?

DoH uses HTTPS on port 443, indistinguishable from web traffic. DoT (DNS over TLS) uses dedicated port 853. DoH is harder to block but easier to configure in browsers.

Can my ISP block DoH?

With difficulty, since DoH looks like normal web traffic. They'd need to block specific IPs or SNI. Some DoH resolvers offer residential IPs to bypass these blocks.

Does DoH slow down browsing?

Initial TLS establishment adds latency, but HTTP/2 and connection reuse compensate. In practice, DoH is often as fast or faster than classic DNS, especially with Anycast resolvers.

Does DoH protect against tracking?

DoH protects against DNS-based tracking (ISP, local network). But sites can still track you via cookies, fingerprinting, etc. It's only one layer of protection.

Can I host my own DoH server?

Yes, software like cloudflared (Cloudflare's DoH proxy), dnsdist, or unbound let you create your own DoH endpoint pointing to your resolver of choice.

Does MoniTao use DoH?

MoniTao monitors your DNS records using standard DNS queries to authoritative servers. Monitoring doesn't go through DoH since we query your NS directly.

Protect Your DNS Privacy

DNS over HTTPS is a major advancement for Internet privacy. In a few clicks, you can prevent your ISP and networks you traverse from seeing which sites you're visiting.

Enable DoH on your devices, choose a trusted resolver, and combine with DNSSEC for complete protection. Monitoring your DNS records remains important - MoniTao watches over your DNS infrastructure independently of DoH.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing