DNS over HTTPS (DoH)

According to Google’s own September 2019 transparency report, 94 percent of all HTTP connections are encrypted. DNS queries, however, still travel over the Ether in clear text, as if nothing has changed in the last 30 years. The implications for privacy and data security are undeniable.

In today’s world, the internet has become an essential part of our lives, and we rely on it for everything from work to entertainment. However, this reliance on the internet has also made it vulnerable to various threats such as cyber attacks, phishing, and data breaches. One of the ways to protect ourselves from these threats is by using DNS over HTTPS.

DNS (Domain Name System) is responsible for translating domain names into IP addresses, allowing us to access websites by typing their names into our browsers. DNS over HTTPS, on the other hand, is a security protocol that encrypts DNS requests, preventing eavesdropping, tampering, and other security risks associated with plain text DNS.

In this blog post, we will dive into the concept of DNS over HTTPS, its benefits, and potential drawbacks, how it works, and how to enable it on your devices. So, if you’re curious to learn more about this topic, keep reading!

What is DNS?

DNS stands for Domain Name System, which is a system used to translate human-readable domain names (like google.com) into IP addresses that computers can understand.

Every device that connects to the internet has an IP address, which is a unique numerical identifier. However, it’s much easier for us humans to remember a domain name like google.com than it is to remember its IP address. That’s where DNS comes in – it acts as a kind of phone book that translates domain names into IP addresses.

  What is The eIDAS Regulation?

When you type a domain name into your browser, your computer sends a DNS request to a DNS server. The DNS server then looks up the IP address associated with that domain name and sends it back to your computer. Your computer can then use that IP address to connect to the website you want to visit.

DNS is a critical component of the internet infrastructure, and without it, we would have to memorize a lot of IP addresses to access the websites we want to visit!

What is HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure, which is a protocol for secure communication over the internet.

When you visit a website using HTTPS, the communication between your browser and the website is encrypted, which helps to protect your privacy and prevent eavesdropping, tampering, and other security risks associated with plain text communication.

HTTPS works by using a security certificate (also known as an SSL/TLS certificate) that is issued by a trusted third-party certificate authority. This certificate is used to verify the identity of the website you’re visiting and to establish an encrypted connection between your browser and the website’s server.

Most modern web browsers display a padlock icon in the address bar to indicate that you are visiting a website that uses HTTPS. You can also check the URL of the website, which should start with “https://” instead of “http://”.

HTTPS is an important security feature that helps to protect your online activity from prying eyes and keep your personal information safe.

What is DNS over HTTPS

DNS over HTTPS (DoH) is a security protocol that encrypts DNS requests and responses using HTTPS.

Traditionally, DNS requests are sent in plain text, which means that anyone who can intercept the request (such as an internet service provider or a hacker) can see which websites you are accessing. This can be a privacy risk, as it allows third parties to track your online activity.

Additionally, DNS requests can be tampered with, leading to potentially harmful results such as redirecting you to a fake website.

DNS over HTTPS encrypts these requests and responses, adding an extra layer of security and privacy to your online activity. This encryption prevents third parties from seeing the content of your DNS requests, making it more difficult for them to track your online activity. It also helps to prevent DNS spoofing attacks, where attackers impersonate DNS servers to redirect users to malicious websites.

By using DNS over HTTPS, you can help to protect your online privacy and security, and ensure that your DNS requests are not intercepted or tampered with.

Importance of DNS resolution

DNS resolution is an essential part of how the internet works, as it allows us to access websites and other resources using human-readable domain names instead of numerical IP addresses.

Without DNS resolution, we would have to memorize the IP addresses of all the websites we want to visit, which would be impractical and inconvenient. Additionally, IP addresses can change over time, so it would be difficult to keep track of all the changes.

  What is a PSK (Pre-shared Key)?

DNS resolution works by using a hierarchical system of DNS servers that help to translate domain names into IP addresses. When you enter a domain name into your browser, your computer sends a DNS request to a DNS server. If that server doesn’t have the IP address for the domain name, it forwards the request to another DNS server higher up in the hierarchy. This process continues until a DNS server is found that has the IP address for the domain name, which is then sent back to your computer.

The importance of DNS resolution goes beyond just convenience – it also helps to improve the speed and reliability of internet connections. DNS servers can cache IP addresses for frequently accessed websites, which means that subsequent requests can be fulfilled more quickly. Additionally, by using multiple DNS servers, the system is more resilient to failures and can continue to function even if one or more servers go offline.

DNS resolution is a critical component of how the internet works, and without it, accessing websites and other online resources would be much more difficult and inconvenient.

Traditional DNS resolution

Traditional DNS resolution works by using the DNS protocol to translate human-readable domain names into IP addresses.

When you type a domain name into your browser, your computer sends a DNS request to a DNS server (often provided by your internet service provider). The DNS server checks its cache to see if it already has the IP address for the domain name. If it doesn’t, it sends a request to a root DNS server, which responds with the IP address of the DNS server responsible for the top-level domain of the domain name (e.g., .com, .org, etc.).

The DNS server then sends a request to the appropriate top-level domain server, which responds with the IP address of the DNS server responsible for the second-level domain (e.g., google.com). The process continues recursively until the IP address for the domain name is found, and it is sent back to the requesting computer.

This process of recursive DNS resolution can take a few seconds, which can slow down the process of accessing websites. Additionally, because DNS requests are sent in plain text, they can be intercepted and potentially manipulated by third parties. This can lead to security risks, such as DNS spoofing attacks.

While traditional DNS resolution is a fundamental part of how the internet works, it has some limitations when it comes to speed and security. This is where newer technologies like DNS over HTTPS come in, which offer improved security and privacy for DNS resolution.

How traditional DNS resolution works

Traditional DNS resolution works by using the DNS protocol to translate human-readable domain names into IP addresses.

When you enter a domain name into your browser, your computer sends a DNS request to a DNS server (often provided by your internet service provider). This request contains the domain name that you entered, and the DNS server tries to find the corresponding IP address for that domain name.

  What is a Pass-The-Hash Attack?

The DNS server checks its own cache to see if it already has the IP address for the domain name. If it doesn’t, it sends a request to a root DNS server, which responds with the IP address of the DNS server responsible for the top-level domain of the domain name (e.g., .com, .org, etc.).

The DNS server then sends a request to the appropriate top-level domain server, which responds with the IP address of the DNS server responsible for the second-level domain (e.g., google.com). The process continues recursively until the IP address for the domain name is found, and it is sent back to the requesting computer.

Once your computer has received the IP address for the domain name, it can use that IP address to establish a connection to the website or resource that you are trying to access.

Traditional DNS resolution involves a complex system of DNS servers and protocols that work together to translate domain names into IP addresses. While this process can be relatively fast, it can also be slowed down by factors such as network congestion and the need for recursive requests. Additionally, because DNS requests are sent in plain text, they can be intercepted and potentially manipulated by third parties.

Security vulnerabilities in traditional DNS resolution

Traditional DNS resolution has some security vulnerabilities that can be exploited by attackers.

One vulnerability is DNS spoofing, also known as DNS cache poisoning. This occurs when an attacker intercepts a DNS request and sends a response that contains a fake IP address.

The DNS server caches the fake IP address and sends it back to the requesting computer, which then uses that IP address to connect to the website or resource. This can allow the attacker to redirect the user to a malicious website or intercept their communication with a legitimate website.

Another vulnerability is DNS hijacking, which occurs when an attacker gains control of a DNS server and redirects traffic to a fake website. This can happen when a user visits a website with a vulnerable DNS server, or if the attacker gains access to the user’s router or network.

DNS tunneling is another technique that attackers can use to bypass security measures. This involves encapsulating data within DNS queries or responses, allowing the attacker to exfiltrate sensitive data or send commands to a compromised system.

The vulnerabilities in traditional DNS resolution can be exploited to perform various attacks that can compromise the security and privacy of users. This is why newer technologies like DNS over HTTPS have been developed to provide better security and privacy for DNS resolution.

DNS over HTTPS

How DNS over HTTPS works

DNS over HTTPS (DoH) is a newer technology that provides improved security and privacy for DNS resolution. Here’s how it works:

When you enter a domain name into your browser, instead of sending a plain-text DNS request, your computer sends an encrypted HTTPS request to a DoH server. The DoH server then sends a DNS request to a DNS resolver, which performs the traditional DNS resolution process to find the IP address for the domain name.

  Data Poisoning - The Poisoned Apple For AI

Once the IP address is found, the DoH server encrypts the response and sends it back to your computer over HTTPS. This process ensures that the DNS request and response are secure and private, as they are encrypted end-to-end.

Advantages of DNS over HTTPS

  • Improved Security: DNS over HTTPS encrypts DNS traffic, making it more difficult for attackers to intercept or manipulate DNS requests and responses. This helps to prevent DNS spoofing and other types of attacks.
  • Improved Privacy: With DNS over HTTPS, your DNS requests are hidden from your Internet Service Provider (ISP) and other third parties, who would otherwise be able to see which websites you are visiting.
  • Speed: DNS over HTTPS can be faster than traditional DNS resolution, as it can reduce the time it takes to resolve a domain name by bypassing local DNS caches.

Drawbacks of DNS over HTTPS

  • Centralization: The use of DoH relies on a limited number of servers and can lead to centralization of DNS resolution. This can create concerns over privacy and control.
  • Compatibility: DNS over HTTPS is not yet universally supported by all devices and applications. Some network configurations may also block or interfere with DoH traffic.
  • Operational complexity: The use of DoH requires additional infrastructure and configuration, which can add complexity to the network environment.

DNS over HTTPS provides improved security and privacy for DNS resolution, but there are also potential drawbacks to consider, such as centralization and compatibility issues.

Implementing DNS over HTTPS

How to enable DNS over HTTPS

Enabling DNS over HTTPS (DoH) depends on the device and software you are using. Here are some general steps to enable DoH on different platforms:

On Windows 10

a. Open Settings and click on Network & Internet.
b. Click on Change adapter options.
c. Right-click on your active network adapter and click on Properties.
d. Scroll down and click on Internet Protocol Version 4 (TCP/IPv4), then click on Properties.
e. Click on Advanced, then go to the DNS tab.
f. Check the box next to “Use encrypted DNS” and select the DoH provider of your choice from the dropdown menu.
g. Click OK to save the changes.

On macOS

a. Open System Preferences and click on Network.
b. Select your active network connection, then click on Advanced.
c. Go to the DNS tab and click on the + icon to add a new DNS server.
d. Enter the IP address of your DoH provider and click OK to save the changes.

On Android

a. Open the Settings app and click on Network & Internet.
b. Click on Private DNS, then enter the hostname of your DoH provider.
c. Click Save to enable DoH.

On iOS

a. Open the Settings app and click on Wi-Fi.
b. Click on the “i” icon next to your active Wi-Fi network.
c. Scroll down and click on Configure DNS.
d. Select Manual and click Add Server.
e. Enter the IP address of your DoH provider and click Save.

  What is the Purdue Reference Model?

Compatible web browsers and operating systems

Most modern web browsers and operating systems now support DNS over HTTPS, including:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Safari (on macOS and iOS)

Some popular DoH providers include:

  • Cloudflare (1.1.1.1)
  • Google (8.8.8.8)
  • Quad9 (9.9.9.9)

It’s important to note that not all DNS servers support DNS over HTTPS, and some network configurations may block or interfere with DoH traffic. It’s always a good idea to test your DoH setup to ensure that it’s working properly.

DNS over HTTPS and privacy concerns

DNS over HTTPS (DoH) has been implemented to improve the privacy of users’ DNS queries. However, there are still privacy concerns that need to be addressed.

DNS over HTTPS and user data privacy

One of the primary concerns is that DoH providers may be able to see users’ DNS queries. This could allow them to track user activity and potentially sell that data to advertisers or other third parties. However, reputable DoH providers have policies in place to protect user data privacy and minimize the collection and use of personal information.

Privacy concerns for DNS service providers

The use of DoH may also raise privacy concerns for traditional DNS service providers, such as Internet Service Providers (ISPs). DoH can prevent ISPs from seeing users’ DNS queries, which could make it more difficult for them to monitor and filter internet traffic. This could impact their ability to enforce policies, such as parental controls or network security measures.

Potential abuse of DoH

Another concern is that DoH could be used to bypass security controls, such as content filters or firewalls. Malicious actors could use DoH to hide their internet activity, making it more difficult for network administrators to detect and block threats.

While DNS over HTTPS can improve user privacy, it also raises concerns around the collection and use of user data, as well as the impact on traditional DNS service providers. It’s important for DoH providers to have strong privacy policies and for network administrators to implement appropriate security controls to prevent abuse of the technology.

Frequently Asked Questions about DNS over HTTPS

What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) is a protocol that allows DNS resolution to be conducted over HTTPS, which encrypts DNS traffic between a user’s device and a DoH server. The goal of DoH is to enhance privacy and security by preventing eavesdropping, censorship, and manipulation of DNS requests and responses.

How does DNS over HTTPS work?

When a user types a domain name into their browser, the request is sent to a DoH server over an encrypted HTTPS connection. The DoH server then performs the DNS resolution and sends the result back to the user over the same encrypted connection. The user’s ISP or network administrator cannot see the DNS requests or responses, which helps to prevent surveillance and data leakage.

  What is a Trojan Horse?

What are the benefits of DNS over HTTPS?

DNS over HTTPS provides several benefits, including enhanced privacy and security, improved performance, and more reliable DNS resolution. By encrypting DNS traffic, it makes it harder for attackers to intercept or manipulate DNS requests and responses, which can improve security. Additionally, because DoH requests are sent over HTTPS, they are more likely to be allowed through firewalls and other security measures, resulting in better performance.

Is DNS over HTTPS the same as a VPN?

No, DNS over HTTPS is not the same as a VPN. A VPN encrypts all internet traffic, including DNS requests, while DNS over HTTPS only encrypts DNS requests. While both technologies can help to enhance privacy and security, they serve different purposes.

Is DNS over HTTPS supported by all web browsers?

Most modern web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, support DNS over HTTPS. However, some older browsers may not support it.

Can DNS over HTTPS be disabled?

Yes, DNS over HTTPS can be disabled by configuring the web browser to use a different DNS resolver or by disabling the DoH feature in the browser settings.

What are some potential downsides of using DNS over HTTPS?

Some potential downsides of using DNS over HTTPS include increased latency, reduced visibility for network administrators, and potential compatibility issues with certain DNS services or firewalls. Additionally, some people have raised concerns that DoH could make it harder to detect and block malicious or unwanted internet traffic.

How can I test if DNS over HTTPS is working?

There are several online tools and browser extensions that can be used to test if DNS over HTTPS is working, such as the DNS Leak Test tool from ExpressVPN or the DoH Test from Cloudflare.

Are there any privacy concerns related to DNS over HTTPS?

Some people have raised concerns that DoH could make it harder to detect and block malicious or unwanted internet traffic. Additionally, some network administrators have expressed concern that DoH could make it harder to monitor and manage network traffic.

How can I enable DNS over HTTPS?

The method for enabling DNS over HTTPS depends on the web browser being used. In general, it involves configuring the browser to use a DoH-compatible DNS resolver, such as Cloudflare, Google, or OpenDNS. Consult the browser’s documentation or support website for detailed instructions.


In conclusion, DNS over HTTPS (DoH) is a protocol that encrypts DNS queries using the HTTPS protocol. This provides additional security and privacy for users, as well as making it more difficult for third parties to intercept or modify DNS queries.

While DoH has several advantages, including improved privacy and security, it may also have drawbacks, such as additional latency and potential difficulties for network administrators.

To enable DoH, users can select a DoH provider and configure their device to use their DoH server. Compatible web browsers and operating systems now support DoH.

It’s important to consider factors such as privacy policies and performance when selecting a DoH provider. Additionally, network administrators should implement appropriate security controls to prevent abuse of the technology.

We recommend that users consider enabling DoH to improve their privacy and security while browsing the internet, but to do so carefully by selecting a reputable DoH provider and keeping in mind the potential drawbacks and privacy concerns.