DNS over HTTPS (DoH)

What is DNS over HTTPS?

DNS over HTTPS (DoH) is a protocol that sends Domain Name System (DNS) queries over encrypted Hypertext Transfer Protocol Secure (HTTPS) connections instead of traditional unencrypted channels.

How does DNS over HTTPS work?

When a user types a website address, such as expressvpn.com, into their browser, the browser needs to find the server’s IP address to connect. With DoH, that lookup occurs through the following steps:

1. Browser sends query: The browser sends the DNS request to a DoH-compatible resolver using an encrypted HTTPS connection.
2. Resolver processes request: The resolver decrypts the query and looks up the correct IP address.
3. Resolver returns result: The IP address is sent back through the same encrypted HTTPS channel. The browser uses the returned IP address to reach the website.

Why is DNS over HTTPS important?

By encrypting DNS queries and responses, DoH prevents third parties from seeing which websites a user visits and bad actors from modifying the DNS data in transit to redirect users to malicious sites.

DoH also ensures that responses come from the intended DoH server, preventing threat actors from impersonating the resolver and supplying false DNS information.

It also makes DNS traffic harder to block or filter: because queries travel over standard HTTPS alongside regular web traffic, network operators have a much harder time identifying or blocking requests to specific websites without disrupting general internet use.

Common use cases

Here are some common applications of DoH:

• Web browsers: Some browsers, such as Mozilla Firefox and Google Chrome, enable DoH by default in regions where compatible DNS resolvers are available.
• Privacy-focused users: Individuals concerned about tracking or surveillance use DoH to keep their browsing habits private.
• Enterprises and remote work: Organizations deploy DoH-compatible resolvers to secure DNS traffic for remote employees and ensure compliance with data-protection standards.

DoH vs. DoT

DoH and DNS over Transport Layer Security (DoT) both encrypt DNS queries, but they use different channels. DoH sends DNS requests over HTTPS on port 443, allowing them to blend with regular web traffic and making blocking or filtering more difficult. DoT uses a dedicated TLS connection on port 853, which makes encrypted DNS easy to identify and gives networks more control over how DNS traffic is managed.

Security and privacy considerations

To get the most out of DoH while staying secure, it’s important to be aware of potential limitations and follow best practices:

• Choose a trusted resolver: The DoH resolver can see the domain requests, so the level of privacy depends on the trustworthiness of the provider.
• Check network compatibility: Some organizations or managed networks disable DoH because it interferes with the tools they use to monitor DNS traffic for security or compliance reasons.
• Combine with a virtual private network (VPN): DoH encrypts only DNS queries, while a VPN encrypts all internet traffic. Together, they provide broader privacy and security.
• Ensure proper configuration: If DoH isn’t configured correctly, DNS traffic could leak, negating the benefits DoH provides.

Further reading

• What is DNS, and how does it work?
• How to disable DNS over HTTPS
• What is managed DNS?