DNS over HTTPS (DoH)
DNS queries tunneled over HTTPS. Encrypts the DNS lookup so network operators can't see which domains you're resolving, and can't tamper with the answers.
DNS over HTTPS (DoH, RFC 8484) wraps DNS queries inside ordinary HTTPS requests to port 443. To anyone watching the network, it looks like normal web traffic.
POST /dns-query HTTP/2
Host: cloudflare-dns.com
Content-Type: application/dns-message
<binary DNS query>
What it solves
Network-level surveillance. Without DoH, anyone with packet visibility (ISP, employer, café WiFi) can see every domain you're looking up. DoH hides those queries.
Tampering. ISPs and corporate networks sometimes rewrite DNS responses (block sites, inject ads). DoH prevents on-path tampering since the response is encrypted end-to-end.
What it doesn't solve
- Doesn't hide who you're connecting TO at the IP level. After resolving
example.com, your subsequent TCP/TLS connection is still visible. - Doesn't authenticate the response cryptographically. That's DNSSEC.
- Doesn't necessarily hide DNS from the resolver itself; Cloudflare, Google, etc. can still see and log queries.
Public DoH resolvers
| Resolver | URL |
|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query |
https://dns.google/dns-query | |
| Quad9 | https://dns.quad9.net/dns-query |
| AdGuard | https://dns.adguard.com/dns-query |
How clients use it
- Firefox has DoH enabled by default in many regions.
- Chrome uses DoH when available.
- macOS / iOS support DoH via configuration profiles.
- Android has "Private DNS" in settings.
SaaS impact
For most SaaS, DoH is transparent. It doesn't change how clients reach you. The one case where it matters: if you run a captive portal or a corporate filter that depends on intercepting DNS, DoH breaks that. Customers behind such filters might have weird connectivity issues that look like DNS but aren't.