DoH isn’t just about privacy; it’s a fundamental shift that breaks the traditional DNS lookup’s vulnerability to eavesdropping and manipulation.
Let’s see it in action. Imagine you’re trying to visit example.com. Normally, your computer would send a plain text DNS query to your ISP’s DNS resolver. This query, along with the IP address it resolves to, is visible to anyone on the network path.
With DoH, that same query is instead encrypted and sent over HTTPS, the same protocol used for secure web browsing, to a DoH-enabled resolver.
{
"id": 27877,
"question": "What is the IP address for example.com?",
"type": "query",
"transport": "HTTPS",
"payload": "aGVsbG8gd29ybGQ=" // Base64 encoded DNS query for example.com
}
The DoH resolver then performs the lookup and sends the encrypted response back.
{
"id": 27877,
"answer": "93.184.216.34",
"status": "success",
"transport": "HTTPS",
"payload": "c29tZWRhdGE=" // Base64 encoded DNS response
}
This encrypts the query and response, making it look like any other secure web traffic.
The core problem DoH solves is the insecurity of traditional DNS. DNS queries are typically sent in plain text, meaning your ISP, network administrators, or anyone snooping on your network can see every website you visit. This allows for traffic analysis, censorship, and even "DNS hijacking" where malicious actors redirect you to fake websites. DoH addresses this by tunneling DNS requests over HTTPS. Instead of a distinct, unencrypted DNS packet, your DNS queries become indistinguishable from your regular encrypted web traffic. This means eavesdroppers can’t easily see which domains you’re querying, and they can’t easily manipulate the responses.
Internally, a DoH client (like your browser or operating system) constructs a standard DNS query. This query is then encapsulated within an HTTP POST request. The entire HTTP request, containing the DNS query, is then encrypted using TLS (Transport Layer Security), just like any other HTTPS connection. This encrypted package is sent to a DoH-aware DNS resolver. The resolver decrypts the request, performs the DNS lookup, encrypts the DNS response within an HTTP response, and sends it back to the client. The client then decrypts the HTTP response and extracts the DNS answer.
The primary lever you control is choosing your DoH resolver. Major providers like Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) offer DoH services. You configure your browser or operating system to use these specific DoH endpoints. For example, in Firefox, you can navigate to about:preferences#privacy, scroll down to "DNS over HTTPS," and select a provider or enter a custom URL like https://cloudflare-dns.com/dns-query.
The one thing most people don’t realize is that while DoH encrypts the content of your DNS queries (the domain names you’re looking up), it doesn’t hide the fact that you are making DNS queries to a specific DoH resolver. Your ISP can still see that you’re connecting to, say, 1.1.1.1 on port 443, which is the standard port for HTTPS. While they can’t see what you’re looking up, they know you’re using a DoH service.
The next step in secure DNS resolution is often exploring DNSSEC, which adds a layer of authentication to DNS records themselves.