What is DoH?
Also known as: DNS over HTTPS
DNS over HTTPS (DoH) encrypts DNS queries and responses inside HTTPS traffic, preventing on-path observers from seeing or tampering with DNS lookups.
DNS over HTTPS (DoH) is a protocol for performing DNS resolution via the HTTPS protocol, defined in RFC 8484. Instead of sending plaintext DNS packets over UDP or TCP on port 53, DoH wraps each DNS query and response inside an HTTP/2 or HTTP/3 request to a designated HTTPS endpoint, typically on port 443. This makes DNS traffic indistinguishable from other web traffic to network intermediaries.
When a client uses DoH, it sends a POST or GET request to a DoH-compatible resolver. The resolver returns the DNS response in the HTTPS reply, with the DNS message encoded in the HTTP body. Because the transport layer is TLS, the entire exchange is encrypted and authenticated. The client must trust the resolver's TLS certificate, and the resolver must support the application/dns-message media type. DoH can be configured per application or system-wide, and some operating systems now include native DoH support.
DoH sits above the DNS protocol stack, replacing the traditional UDP transport with HTTPS. It is one of several encrypted DNS transports, alongside DNS over TLS (DoT) and DNS over QUIC (DoQ). Unlike DoT, which uses a dedicated port (853) and is easily blocked by firewalls, DoH blends into standard web traffic, making it harder to censor but also complicating network management and parental controls. DoH is widely deployed by public resolvers such as Cloudflare 1.1.1.1, Google Public DNS, and Quad9.
Key facts
- Defined in RFC 8484 (November 2018) by the IETF DPRIVE working group.
- Uses HTTPS port 443, not DNS port 53, to avoid plaintext inspection.
- Encodes DNS messages using the application/dns-message HTTP media type.
- Supports both GET and POST methods; GET uses base64url encoding in the query string.
- Adopted by major browsers including Firefox and Chrome for privacy protection.
How it works in practice
Related terms
References
More in DNS
A Record
A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.
AAAA Record
A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.
Authoritative DNS
An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.
CAA Record
A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.
CNAME Record
A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.
DNS
The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.
DNS Anycast
DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.
DNS Caching
DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.
DNS Hijacking
DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.
DNSSEC
DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.