DNS over HTTPS Flow: Mermaid Sequence Diagram

About Source

DNS over HTTPS (DoH, RFC 8484) is a protocol that encrypts DNS queries and responses by encapsulating them inside HTTPS requests, preventing eavesdropping and manipulation of DNS traffic by network intermediaries.

Traditional DNS uses plaintext UDP or TCP on port 53. This means every DNS query you make — every hostname you look up — is visible to your ISP, network operator, or anyone who can observe your traffic. DoH addresses this privacy gap.

How DoH Works: Instead of sending a DNS query to a resolver on port 53, the client sends an HTTPS request to a DoH-capable resolver (e.g., https://cloudflare-dns.com/dns-query or https://dns.google/dns-query). The DNS query is encoded in binary DNS message format (wire format) and sent as the body of an HTTP POST request (or base64url-encoded as a GET parameter).

Transport: DoH uses standard HTTPS over TLS 1.3. This means the DNS query is encrypted, authenticated, and protected by TLS certificate validation — identical security properties to any other HTTPS request. No special ports are needed; DoH traffic is indistinguishable from regular HTTPS.

Browser Implementation: Firefox and Chrome support DoH natively, allowing browsers to use a trusted DoH resolver regardless of the OS-configured DNS server. This can bypass ISP DNS hijacking but also bypasses enterprise DNS policies (a point of contention in corporate environments).

Comparison with DoT: DNS over TLS (DoT, port 853) achieves similar privacy but uses a dedicated port that's easier to block or monitor. DoH's use of port 443 makes it harder to selectively block while avoiding performance drawbacks.

Caching and Performance: DoH responses include standard HTTP caching headers. HTTP/2 multiplexing (see HTTP/2 Multiplexing) allows multiple DNS queries over a single HTTPS connection.

Frequently asked questions

DNS over HTTPS (DoH, RFC 8484) encrypts DNS queries by sending them as HTTPS requests to a DoH-capable resolver, instead of plaintext UDP on port 53. This prevents ISPs, network operators, or any on-path observer from seeing which hostnames you look up, since DoH traffic is indistinguishable from regular HTTPS.

The client opens an HTTPS connection to a DoH resolver (e.g., `https://cloudflare-dns.com/dns-query`). The DNS query is encoded in binary wire format and sent as the body of an HTTP POST request (or base64url-encoded as a GET parameter). The resolver decrypts the query, performs normal DNS resolution, and returns the response inside an HTTPS reply. The entire exchange is protected by TLS 1.3.

Use DoH when privacy from network-level observers is a priority — such as on untrusted public WiFi, in regions with ISP DNS hijacking, or in browser-level deployments where you cannot trust the system resolver. Firefox and Chrome support DoH natively and can bypass the OS-configured resolver.

DoH can bypass enterprise DNS policies, causing IT visibility and filtering gaps. Because it runs on port 443, blocking DoH without blocking all HTTPS traffic is difficult. Fallback behaviour (what the browser does if the DoH resolver is unreachable) must be explicitly configured to avoid resolution failures.

Both encrypt DNS traffic, but DoH uses standard HTTPS on port 443, making it indistinguishable from web traffic and harder to block selectively. DNS over TLS (DoT) uses a dedicated port 853, making it easier to identify, filter, or enforce at the network level — preferable in enterprise environments where visibility into DNS is required.

mermaid

sequenceDiagram
    participant App as Application/Browser
    participant DoHClient as DoH Client
    participant TLSLayer as TLS Layer (port 443)
    participant DoHResolver as DoH Resolver\n(e.g. cloudflare-dns.com)

    App->&gt;DoHClient: Resolve: api.example.com

    note">Note over DoHClient: Encode DNS query as\nRFC 8484 wire format

    DoHClient->&gt;TLSLayer: HTTPS POST /dns-query\nContent-Type: application/dns-message\nBody: [binary DNS query]

    note">Note over TLSLayer: TLS 1.3 — query encrypted\nCertificate validates cloudflare-dns.com

    TLSLayer->&gt;DoHResolver: Encrypted HTTPS request
    note">Note over DoHResolver: Decode DNS query\nPerform recursive resolution
    DoHResolver-->&gt;TLSLayer: HTTPS 200 OK\nContent-Type: application/dns-message\nBody: [binary DNS response]\nCache-Control: max-age=300

    TLSLayer-->&gt;DoHClient: Decrypted DNS response
    DoHClient->&gt;App: A record: 93.184.216.34

    note">Note over App: No observer on network\ncan see hostname queried