DoH (DNS over HTTPS) (DoH)
A protocol that encrypts DNS queries by sending them over HTTPS (port 443). Prevents ISPs and network operators from seeing or tampering with DNS lookups. Supported by major browsers and CDN resolvers.
Full Explanation
DNS over HTTPS wraps DNS queries inside standard HTTPS requests. Traditional DNS sends queries in plaintext over UDP port 53, which means anyone on the network path (ISPs, coffee shop wifi, corporate proxies) can see exactly which domains you're looking up and even modify the responses. DoH encrypts all of that inside a normal HTTPS connection.
The protocol is simple. The client sends a DNS query as an HTTP request to a resolver's URL (like https://cloudflare-dns.com/dns-query or https://dns.google/dns-query). The query can be sent as a GET request with the DNS message base64url-encoded in a parameter, or as a POST with the binary DNS message in the body. The response comes back as an application/dns-message content type.
Browsers drove DoH adoption. Firefox was first, enabling DoH by default for US users in 2020 with Cloudflare as the default resolver. Chrome, Edge, and Safari followed with support but different defaults. When a browser uses DoH, it bypasses the OS DNS resolver entirely. This means network-level DNS filtering (like corporate content filters or parental controls) stops working unless the DoH resolver also provides filtering.
For CDN performance, DoH matters in two ways. First, CDN DNS resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8) offer DoH endpoints. Users resolving through these get fast, encrypted lookups that can't be tampered with. Second, the resolver sees the user's real IP (via EDNS Client Subnet or the source IP of the HTTPS connection), which helps CDN DNS return the geographically closest edge server.
The main criticism of DoH is centralization. Traditional DNS is distributed: your ISP, your company, your home router all run resolvers. DoH concentrates queries at a few big providers (Cloudflare, Google, Quad9). This gives those providers visibility into massive amounts of DNS traffic. Proponents argue this is still better than ISPs selling DNS data or governments tampering with responses.
DoH uses standard HTTPS infrastructure. It benefits from HTTP/2 multiplexing (multiple queries over one connection), connection reuse, and standard TLS encryption. It also blends in with normal web traffic on port 443, making it harder to block than DoT (which uses the distinctive port 853).
Examples
# Query DoH with curl (Cloudflare)
curl -s -H 'accept: application/dns-json' \
'https://cloudflare-dns.com/dns-query?name=example.com&type=A' | \
python3 -m json.tool
# Returns JSON with Answer section
# Query DoH with curl (Google, wire format)
curl -s -H 'content-type: application/dns-message' \
'https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' | \
xxd
# Enable DoH on Linux with systemd-resolved
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=no
# Note: systemd-resolved supports DoT natively, DoH via stub
# Firefox DoH settings
# about:config
# network.trr.mode = 2 (DoH with fallback)
# network.trr.mode = 3 (DoH only, no fallback)
# network.trr.uri = https://cloudflare-dns.com/dns-query
# Test DoH resolver response time
curl -o /dev/null -s -w '%{time_total}\n' \
'https://cloudflare-dns.com/dns-query?name=example.com&type=A' \
-H 'accept: application/dns-json'
# 0.025 (25ms including TLS handshake)Frequently Asked Questions
A protocol that encrypts DNS queries by sending them over HTTPS (port 443). Prevents ISPs and network operators from seeing or tampering with DNS lookups. Supported by major browsers and CDN resolvers.
# Query DoH with curl (Cloudflare)
curl -s -H 'accept: application/dns-json' \
'https://cloudflare-dns.com/dns-query?name=example.com&type=A' | \
python3 -m json.tool
# Returns JSON with Answer section
# Query DoH with curl (Google, wire format)
curl -s -H 'content-type: application/dns-message' \
'https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' | \
xxd
# Enable DoH on Linux with systemd-resolved
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=no
# Note: systemd-resolved supports DoT natively, DoH via stub
# Firefox DoH settings
# about:config
# network.trr.mode = 2 (DoH with fallback)
# network.trr.mode = 3 (DoH only, no fallback)
# network.trr.uri = https://cloudflare-dns.com/dns-query
# Test DoH resolver response time
curl -o /dev/null -s -w '%{time_total}\n' \
'https://cloudflare-dns.com/dns-query?name=example.com&type=A' \
-H 'accept: application/dns-json'
# 0.025 (25ms including TLS handshake)Related CDN concepts include:
- DNS (Domain Name System) (DNS) — The internet's phone book—translates human-readable domain names (example.com) into IP addresses (93.184.216.34). Every CDN request …
- A Record — A DNS record type that maps a hostname to an IPv4 address. The most fundamental …
- AAAA Record — A DNS record type that maps a hostname to an IPv6 address (128-bit). The IPv6 …
- DoT (DNS over TLS) (DoT) — A protocol that encrypts DNS queries by wrapping them in TLS on a dedicated port …