• United States

DNS over HTTPS seeks to make internet use more private

Nov 20, 201810 mins

The IETF has standardized DNS over HTTPS (DOH), which encrypts DNS queries so eavesdroppers can’t tell what sites users connect to.

spinning globe smart city iot skyscrapers city scape internet digital transformation
Credit: Getty Images

Unauthorized interception of DNS traffic provides enough information to ascertain internet users’ thoughts, desires, hopes and dreams.  Not only is there concern for privacy from nearby nosey neighbors, but governments and corporations could use that information to learn about individuals’ internet behavior and use it to profile them and their organization for political purposes or target them with ads. 

Efforts like the DNS Privacy Project aim to raise awareness of this issue and provide pointers to resources to help mitigate these threats.

The IETF has been working on the problem as well. It formed the DNS PRIVate Exchange (DPRIVE) working group to define the problems and evaluate options to mitigate the security threats.  One of its major efforts has been to create methods whereby DNS can be used over HTTP (DOH).  Even though DNS queries could take place over HTTP in the clear, that wouldn’t solve the unencrypted privacy issue.  Therefore, the protocol development has been on DNS Queries over HTTPS (also referred to as DOH), which was standardized in October 2018.

(While this article addresses DNS over HTTPS, the IETF’s primary published proposed standard for securing DNS traffic is “Specification for DNS over Transport Layer Security (TLS)” (DOT) (RFC 7858).  Since DNS traffic uses UDP messages, the IETF also published “DNS over Datagram Transport Layer Security (DTLS)” (RFC 8094).  The IETF DPRIVE working group has also published “Usage Profiles for DNS over TLS and DNS over DTLS” (RFC 8310).)

How DNS over HTTPS works

DOH uses a direct connection between the end-user and the web server’s interface.  Since the DNS query and response are taking place over a web-based HTTP interface, the DNS response format uses JSON notation.  This is different than the traditional DNS query and resource record format and lends itself to simpler integration with web-based applications.

DOH could be implemented as a local proxy service running on the end-user’s computer that is listening for DNS queries using TCP or UDP port 53.  This local proxy service converts the DNS queries into an HTTPS connection to the DOH service.  In the case of DNS over HTTPS, the connection is made using TCP port 443.  (When DNS over TLS is used, then TCP port 853 is employed.)

DOH can also be implemented in the user’s web browser.  When the browser makes a connection to a new URL, it connects to the pre-configured DOH service using TCP 853 and retrieves the JSON response containing the resulting IP address.

DOH is of significant interest to content providers because they want to help preserve the privacy of their user and subscriber populations.  Content providers desire greater control over DNS for their clients, guaranteeing that their clients are provided accurate information about IP addresses, mitigating man in the middle attacks, and provide a faster service regardless of the client’s operating system or location.

The terms DNS over HTTP (DOH), DNS over HTTPS (DOH), and DNS over TLS (DOT) are often used interchangeably, but it is important to distinguish among HTTP, HTTPS, and TLS underlying this web-based DNS function.

While DOH can make contribute to internet privacy, it’s also important to recognize there are other ways to address the problem.

DOH alternatives

In the interest of completeness, there are also other methods that have been proposed and are in use that function like DOH.  For example, DNS over HTTP can also use HTTP/2.  HTTP/2 is an optimized version of HTTP that allows for multiplexed streams for simultaneous fetches, request prioritization, header compression and server push.  In this case, the web resolver could use the HTTP/2 Server Push method to send/push DNS updates to the client.  This could be used to proactively notify clients that an update has occurred.  This could be a more immediate method than the historical approach of waiting for the DNS record’s TTL to expire. 

DNS can also work over the QUIC protocol.  Quick UDP Internet Connections (QUIC) is an optimized transport layer protocol that provides the reliability of TCP with multiplexed connections and performance optimizations.  Although this is currently and IETF draft, there is interest in ways to leverage the QUIC protocol because of its performance improvements for web servers.

There are also other non-IETF methods for providing encryption of DNS queries.  DNSCrypt is a method of using encryption to secure traditional DNS messages between an end-user and a resolver.  DNSCrypt can support TCP or UDP DNS messages over TCP port 443.  The current version 2 of the DNSCrypt protocol specification is documented publicly.  DNSCurve is a similar method, but it uses elliptic curve cryptography with the Curve25519 (X25519 algorithm) for securing DNS.  DNSCurve has been being developed since 2009.

Implementations of DOH

Momentum is building for DOH solutions and now there are implementation examples proving that these methods work.  This list of publicly-available DOH servers provides links to those services and the DNS Privacy Project provides a list of test servers.  Here are some DOH implementations that provide information about the current state of DOH that can provide a place to test solutions to improve public-facing web applications.


Google operates its global public DNS service using IPv4 (,, IPv6 (2001:4860:4860::8888, 2001:4860:4860::8844), and now operates using DOH.  They have one method that is available for programmatic API access and another method that works with a human-friendly web browser interface.  An example of using the API access is to use this URL that contains the query you want to make.

With the Google DOH web interface, you can enter the FQDN you would like to resolve, the type or DNS resource record (A, AAAA, CNAME, NS, MS, etc.), the EDNS client IP address (RFC 7871) and select if you want to use DNSSEC, then click the “Resolve” button.  The system then shows you the JSON output of your DNS over HTTPS query.  The web interface then provides you a restful link at the bottom of the page.  Following is a URL that you can use with the web interface.

There is a Docker container available on Dockerhub that is a small DNS server that performs queries over HTTPS via Google’s DNS API.  Furthermore, there is an implementation of Google’s DOH system for CoreDNS used in Kubernetes environments.


CloudFlare operates a public DNS service that has a user-favorable privacy policy.  CloudFlare also operates a public DOH service which is available over IPv4 (, and IPv6 (2606:4700:4700::1111, 2606:4700:4700::1001).  The CloudFlare DOH service can operate using either DNS wireformat or JSON or CloudFlare also offers their “Cloudflared” DOH client proxy.  CloudFlare also offers an Android application that uses their DoH service.  Here is an example of how to use curl to query the DOH interface:

curl ‘’


Quad9 operates its public DNS service over IPv4 (, and IPv6 (2620:fe::fe, 2620:fe::9).  More about its service are here and the here.  Quad9’s service uses DNS over TLS using TCP port 853 using


CleanBrowsing operates a family-friendly public DNS service using IPv4 (,, IPv6 (2a0d:2a00:1::, 2a0d:2a00:2::), and also using DOH with its family filter, adult filter and security filter.


Facebook operates a DOH proxy service and has published a set of Python 3 scripts that create a DOH stub resolver and a DOH client, and can proxy using HTTP/2.


Mozilla has implemented DOH in its Firefox browser version 62 or newer. The function is known as Trusted Recursive Resolver (TRR) and it is disabled by default, but can be easily turned on. Just open Firefox and open the URL about:config and then search for trr. It will display the different options to enable TRR (network.trr).  Modify network.trr.mode from 0 to 2 and set network.trr.uri to the name of your DOH server (e.g., then browse to some sites.  Mozilla Firefox have partnered with CloudFlare on their TRR and DNS over HTTPS integration.  To observe how it works, go to the about:networking page and click on the DNS section to see which queries it has made and look for the TRR column to be true or false. An illustrated explanation of how it works is here.


The Tenta browser supports Secure DNS over TLS and DNSSEC, along with decentralized DNS.  Tenta’s DNS service supports DNS over TLS, DNSSEC and a Golang interface.


The curl utility can be used to test DOH services, as shown above, but there are also extensions to curl that make it work directly with DOH. There is also a libcurl-using application that performs DOH. It’s a small stand-alone tool that issues requests for the A and AAAA records of a given host name from the given DOH URI.

Android 9

Android 9 “Pie” has a “Select Private DNS Mode” that offers a DOT service to support added privacy for DNS traffic using mobile devices.


The Getdns group offers Stubby as an open source application that operates as a stub resolver using DNS over TLS.  Stubby uses a YAML configuration file, and there are examples of how to configure this for specific DNS privacy servers.


PowerDNS offers a DOH interface and its code is available on GitHub.


pfSense supports configuring DNS over TLS on pfSense security devices, and there is a video showing how to configure and test it.

Other DOH Clients

There are also numerous DOH and DOT clients and proxies that are available.  Among these are Daniel’s dns2doh, Frank’s doh-proxy (server-side proxy), Travis’s jDnsProxy, Daniel’s PHP DOH client, Star’s Golang implementation of DOH, Pawel’s Dingo (DNS client in Go), a Python implementation of DOH,  and a DOH C++ client.

DOH doesn’t solve Internet privacy, but it is a contributing mechanism of a wholistic approach that helps improve privacy. If an eavesdropper were along the traffic path from the user to the web server, they could still observe the initial connection request prior to HTTPS encryption for a site’s IP address. Once the HTTPS session is in place, then the eavesdropper would only observe the encrypted TCP port 443 packets.

DOH compliments DNS security measures such as DNSSEC and DNS-Based Authentication of Named Entities (DANE) can provide validation of the Certificate Authority (CA) used for a service. Use of TLS for the web connections using a validated public certificate using Let’s Encrypt can help fortify user’s connections.

The field of DNS security is rapidly evolving. Vendors such as Infoblox ActiveTrust Cloud and Cisco Umbrella (formerly OpenDNS) have selected DNSCrypt/DNSCurve as their DNS privacy method. Some organizations like Quad9 support both DNSCrypt and DOH/DOT, thus hedging their bets on which may prove dominant. There is speculation to what extent DOH will impact use of traditional DNS infrastructure, because these DOH methods are new and have yet to gain widespread adoption.

Regardless of how the future plays out and which method DOH dominates the industry, organizations should be cognizant of the information they disclose through their wide-open DNS communications. It is free to test out these DOH methods to determine which approach may provide added privacy for individuals’ and organizations’ public web application.

(Scott Hogg is a co-founder of, an IPv6 consulting and training firm, and has over 25 years of cloud, networking and security experience.)