What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) is a security protocol that encrypts Domain Name System (DNS) requests by sending them through a secure HTTPS connection. This prevents third parties, such as internet service providers or attackers on a network, from seeing which websites you are visiting, enhancing user privacy and security.

The Definition: Securing the Internet’s Phonebook

To understand DNS over HTTPS, you first need to understand the standard Domain Name System. Think of DNS as the internet’s phonebook. When you type a website address like ‘www.example.com’ into your browser, your computer needs to find the numeric IP address for that server, such as ‘93.184.216.34’.

Traditionally, this request was sent in plaintext over the internet using the User Datagram Protocol (UDP) on port 53. Since it was unencrypted, anyone between your computer and the DNS server could read it. This included your Internet Service Provider (ISP), network administrators, or malicious actors on a public Wi-Fi network.

This lack of privacy is a significant vulnerability. It allows ISPs to track your browsing history, governments to implement censorship by blocking access to certain domains, and attackers to redirect you to fake websites in what are known as man-in-the-middle attacks.

DoH was developed to solve this problem directly. It takes the same DNS query but wraps it inside the same encryption that protects your online banking and shopping: HTTPS. The request is sent over TCP port 443, the standard port for all secure web traffic.

By doing this, DoH makes your DNS requests indistinguishable from other encrypted web traffic. Your ISP can see that you are connecting to a server, but it cannot see the specific DNS query inside the encrypted packet. It only sees a stream of encrypted data going to a DoH provider’s server, like Google or Cloudflare.

This simple but effective change provides two key benefits. First, it ensures confidentiality, meaning no one can snoop on the websites you are trying to visit. Second, it provides integrity, ensuring that the response you get is from the authentic DNS server and has not been tampered with in transit.

Technical Mechanics: How DoH Works Under the Hood

The process of resolving a domain name with DoH involves a few key steps that differ significantly from the traditional DNS lookup. Understanding these mechanics reveals why DoH is a substantial upgrade for internet privacy and security.

First, let’s review the old method. With standard DNS, when you type a URL, your browser asks the operating system (OS) to find the IP address. The OS then forwards this query to a pre-configured DNS resolver, which is almost always operated by your ISP. This entire conversation happens in plaintext.

DoH changes the starting point of this process. Instead of the browser handing the query to the OS, the browser itself takes control. Modern browsers like Chrome, Firefox, and Edge have built-in DoH clients.

When you enter a domain, the browser constructs a standard DNS query. However, instead of sending it out as a plaintext UDP packet, it wraps this query within an HTTPS request. This is typically done using an HTTPS GET or POST method.

This encrypted packet is then sent to a specific DoH resolver’s URL, known as a DoH endpoint. For example, Cloudflare’s resolver is at ‘https://cloudflare-dns.com/dns-query’. This request travels over TCP port 443, blending in with all other secure web traffic.

The DoH resolver receives the HTTPS request. It unwraps the packet, extracts the DNS query inside, and resolves the domain name just like a traditional resolver would. It finds the corresponding IP address for the requested domain.

Once the IP address is found, the DoH resolver sends it back to your browser. Critically, this response is also wrapped in an HTTPS packet. This ensures the entire round trip is secure, and no one can intercept or alter the IP address being sent back to you.

This process effectively bypasses the local network’s default DNS settings. Your OS and your ISP’s resolver are left out of the loop for any traffic originating from your browser. This is a central feature of DoH, as it prevents local network policies or monitoring from interfering with your browsing.

The DoH Process Step-by-Step

• Step 1: User Action. The user types a domain name (e.g., ‘example.com’) into a DoH-enabled browser.
• Step 2: Query Encapsulation. The browser creates a DNS query and encapsulates it within an HTTPS request payload.
• Step 3: Secure Transmission. The browser sends this HTTPS request to a configured DoH resolver (e.g., Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1) over port 443.
• Step 4: Resolver Processing. The DoH resolver receives the encrypted request, decrypts it to reveal the DNS query, and performs the standard lookup to find the IP address.
• Step 5: Encrypted Response. The resolver encapsulates the IP address in an HTTPS response and sends it back to the browser.
• Step 6: Secure Connection. The browser decrypts the response, gets the IP address, and establishes a secure connection with the destination website.

Real-World Scenarios: DoH in Action

The benefits of DoH are not just theoretical. In practice, the protocol solves tangible security and privacy problems for businesses and individuals. These case studies illustrate what can go wrong with traditional DNS and how DoH provides a direct solution.

Scenario A: E-commerce Brand Preventing Phishing Attacks

An e-commerce company had a growing remote workforce. Employees frequently connected from home networks or public Wi-Fi hotspots to access internal company dashboards for inventory and order management.

The problem started when an employee, working from a coffee shop, connected to the public Wi-Fi. A malicious actor on the same network launched a man-in-the-middle attack. When the employee tried to log into the company’s internal portal, their unencrypted DNS query was intercepted.

The attacker’s server responded with the IP address of a convincing phishing site instead of the real portal. The employee entered their credentials, which were immediately stolen. This single event led to a security breach where customer order information was exposed.

The fix was a new company-wide IT policy. The IT department enforced the use of browsers with DoH enabled by default on all company-issued laptops. They configured the browsers to use a trusted, company-vetted DoH resolver. This ensured that even on an untrusted public network, all DNS queries from the browser were encrypted and authenticated, making DNS spoofing and redirection to phishing sites impossible.

Scenario B: B2B SaaS Company Overcoming Censorship

A B2B software company relied on a globally distributed team of developers. A key development team was located in a country with strict internet filtering. The local ISPs were required to block access to several domains essential for their work, including code repositories and technical documentation sites.

This censorship was implemented at the DNS level. When a developer tried to access a blocked site, the ISP’s DNS resolver would either refuse to respond or return the address of a government block page. This caused significant project delays and frustrated the development team, as they had to rely on unreliable and slow workarounds.

The solution was to instruct the entire team on configuring DoH in their browsers. By switching from their default ISP resolver to an international DoH provider like Google Public DNS, they could bypass the local DNS filtering completely. Because their DNS requests were encrypted and sent to a server outside the country, the local ISP could no longer see or block the specific domains they were trying to reach.

This simple change restored access to critical development tools. It eliminated hours of wasted time, improved developer morale, and helped the company get its product release schedule back on track without the cost of complex network solutions.

Scenario C: Publisher Protecting its Audience

A media publisher focused on investigative journalism and reporting on sensitive political and health topics. They built their brand on trust and providing a safe space for readers to access information. Management became concerned that their readers could be at risk.

They knew that ISPs and other network observers could log unencrypted DNS requests. This meant a reader’s entire browsing history on their site could be tracked, potentially exposing their interest in sensitive subjects. This not only violated reader privacy but could also create a chilling effect, discouraging people from seeking important information.

To address this, the publisher took a proactive approach. They added a permanent ‘Privacy’ section to their website, which included a detailed, non-technical guide explaining what DNS is and why it matters for privacy. The guide provided simple, step-by-step instructions for enabling DoH in all major browsers.

By educating their audience, they empowered them to protect themselves. This move was widely praised by their readership and privacy advocates. It reinforced the publisher’s brand as a trusted source of information and demonstrated a genuine commitment to the safety and privacy of its community, which helped grow their loyal reader base.

The Financial Impact of DNS Security

While DoH is a technical protocol, its implementation has clear financial consequences, primarily through risk mitigation and productivity gains. The cost of ignoring DNS security can be substantial, while the cost of adopting DoH is often zero.

Consider the e-commerce brand from our first scenario. A single data breach resulting from a phishing attack can be financially devastating. According to industry reports, the average cost of a data breach can run into millions of dollars. This includes regulatory fines (like those from GDPR), legal fees, customer notification costs, and credit monitoring services for affected users.

Beyond these direct costs, the damage to a brand’s reputation can lead to lost sales and a decline in customer loyalty. Implementing a policy for DoH usage is a preventative security measure that costs nothing but can help avert a multi-million dollar disaster. It is a high-return, no-cost security investment.

For the B2B SaaS company, the financial impact was tied to productivity. A developer’s time is a valuable asset. If a team of ten developers loses even two hours per week dealing with blocked resources, that’s over 1,000 hours of lost productivity per year. Multiplied by an average developer salary, this represents a significant financial drain.

By enabling DoH, the company instantly restored that lost productivity. The fix was free and took only minutes for each employee to implement. This directly translated into faster development cycles and quicker time-to-market for new features, which in turn drives revenue.

Finally, for the media publisher, the financial impact is linked to brand equity and audience trust. In the digital media world, trust is a currency. A publisher known for protecting its readers is more likely to attract and retain subscribers and command higher advertising rates. A privacy-related scandal can erode that trust overnight, causing a direct hit to revenue streams. Investing in reader education about DoH is a small effort that helps secure a loyal, engaged, and monetizable audience.

Strategic Nuance: Beyond the Basics

While DoH is a major step forward, its implementation and implications have subtleties that are often misunderstood. Understanding these points allows for a more effective and informed approach to DNS security.

Myths vs. Reality

A common myth is that DoH makes you anonymous online. This is false. DoH encrypts your DNS query, hiding it from your ISP, but the website you visit still sees your IP address. Your DoH provider also sees your DNS queries, creating a new point of potential trust. DoH is a privacy tool, not a full anonymity solution like Tor or a VPN.

Another misconception is that DoH is inherently bad for network administration. Critics argue that it bypasses enterprise security controls that rely on DNS filtering for blocking malware and adult content. While this is a valid concern, many DoH providers offer filtering services, and system-wide DoH configurations can be managed centrally through IT policies, allowing organizations to maintain security while gaining the benefits of encryption.

Finally, some users worry that DoH will slow down their connection due to the overhead of encryption. In reality, the opposite is often true. While encryption adds a minuscule amount of latency, many ISP-provided DNS resolvers are slow and overloaded. Switching to a highly-optimized, globally-distributed DoH provider like Cloudflare can often result in faster lookup times and a snappier browsing experience.

Advanced Strategic Tips

For those looking to maximize the benefits of DoH, there are a few advanced tactics to consider. First, do not treat all DoH providers the same. Investigate their privacy policies. Some providers, like Cloudflare, have committed to never writing query IP addresses to disk and deleting all logs within 24 hours. Choose a provider whose policies align with your privacy requirements.

Second, understand that browser-based DoH only protects traffic from that browser. Other applications on your system, like email clients or messaging apps, will still use the OS’s traditional DNS resolver. For comprehensive protection, configure system-wide DoH in your operating system’s network settings to ensure all traffic from all applications is encrypted.

Finally, it is useful to know the difference between DoH and its close relative, DNS over TLS (DoT). DoT also encrypts DNS queries but uses a dedicated network port (853). Because it uses a distinct port, it is easier for network administrators to identify and block DoT traffic. DoH, by using the common HTTPS port 443, is much more difficult to block without disrupting all secure web traffic, making it a more resilient option for bypassing censorship.

Abisola

Meet Abisola! As the content manager at ClickPatrol, she’s the go-to expert on all things fake traffic. From bot clicks to ad fraud, Abisola knows how to spot, stop, and educate others about the sneaky tactics that inflate numbers but don’t bring real results.

View all posts by Abisola (Abisola)