DNS over HTTPS (DoH)
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/dns-over-https/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/dns-over-https/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/dns-over-https/)Use the native HTML custom element.
Definition
A protocol that encrypts DNS queries by sending them over HTTPS (port 443), preventing ISPs and network operators from inspecting or tampering with DNS traffic. Supported by browsers like Firefox and Chrome.
Why DNS Needs Encryption
Traditional DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." queries travel in plaintext over UDP port 53, visible to anyone on the network path — ISPs, coffee shop operators, or attackers performing Man-in-the-Middle AttackAn attack where an adversary secretly intercepts and potentially alters communication between two parties who believe they are communicating directly. HTTPS and certificate pinning are primary defenses against this attack. attacks. DNS over HTTPS (DoH, RFC 8484) tunnels DNS queries inside standard HTTPS connections to port 443, making them indistinguishable from regular web traffic and encrypted end-to-end.
How DoH Works
The client sends an HTTP GET or POST request to a DoH resolver endpoint (e.g., https://cloudflare-dns.com/dns-query) with the DNS query encoded in the request body or URL. The resolver responds with a DNS message in application/dns-message format, wrapped in TLS. Because DoH uses port 443 and standard HTTPS, corporate firewalls and censorship systems cannot block it without also blocking general HTTPS traffic.
Privacy vs. Centralization Trade-offs
DoH shifts DNS visibility from the local ISP to the DoH provider (Cloudflare, Google, NextDNS, etc.), which raises concerns about centralizing internet infrastructure. Enterprise network teams often oppose DoH because it bypasses local resolversA server that receives DNS queries from clients and resolves domain names by querying the DNS hierarchy on their behalf. Public resolvers like 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google) are widely used alternatives to ISP resolvers. that enforce filtering policies and DNS LeakA privacy flaw where DNS queries bypass the VPN tunnel and are sent to the ISP's default DNS resolver, revealing the websites a user visits despite using a VPN. DNS leak tests help detect this issue. monitoring. Many browsers now support DoH natively with configurable providers, giving users direct control over their DNS privacy posture. DNS Leak Test