Home/ Glossary/ DNS over HTTPS

DNS over HTTPS (DoH)

Security Glossary - DNS

Definition: DNS over HTTPS (DoH) encrypts DNS queries by sending them inside regular HTTPS requests to a DoH-compatible resolver. This prevents network observers (ISPs, Wi-Fi operators, attackers) from seeing which domains a user is looking up, providing privacy for DNS resolution. Major browsers including Chrome and Firefox support DoH.

The Importance of DoH

Traditional DNS queries are sent in plaintext over UDP port 53, meaning anyone monitoring the network can see every domain a user visits. This is a significant privacy concern, especially on public Wi-Fi networks. DoH encrypts these queries, making DNS resolution private.

DoH is primarily a client-side privacy feature. As a website operator, you do not need to configure anything for your visitors to use DoH. However, understanding DoH helps explain why some DNS-based content filtering or monitoring may not work for users who have enabled DoH in their browser.

The debate around DoH centers on centralization. When a browser sends all DNS queries to a single DoH provider (like Cloudflare or Google), that provider sees all DNS traffic. This is a tradeoff between privacy from local network observers and trust in the DoH provider. Enterprise networks sometimes disable DoH to maintain DNS-based security controls.

How to Test for DoH

DoH is a client-side configuration, not a server-side one. Check your browser settings to see if DoH is enabled. As a site operator, verify your DNS records work correctly when queried through DoH resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8) to detect any resolution inconsistencies.

See how your site handles DoH

Check DNS Health

DoH FAQ

Does DoH replace DNSSEC?
No, they solve different problems. DoH provides privacy (encrypting DNS queries so observers cannot see them). DNSSEC provides authenticity (proving DNS responses have not been tampered with). Ideally both are used together for both privacy and integrity.
Will DoH affect my website?
No. DoH is transparent to website operators. Your DNS records are served the same way regardless of whether the client uses DoH, DoT, or plain DNS. The only potential impact is if you rely on DNS-based blocking or filtering that DoH may bypass.

Related Concepts

Domain Name System DNS over TLS DNS Security Extensions DNS Hijacking Nameserver
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.