Jump to content

DNS over HTTPS

For the technical specification, see RFC 8484.

DNS over HTTPS (DoH) is a method of performing DNS resolution over HTTPS. It encapsulates DNS queries and responses inside encrypted web traffic, aiming to protect them from on-path monitoring or tampering. It integrates the DNS more tightly with the Web application stack.[1][2] From an Internet governance standpoint, DoH is notable less for its packet format than for how it shifts control over DNS resolution, affects the visibility of DNS traffic, and interacts with existing practices around filtering, data protection, and security operations.

Origins and Standardization[edit | edit source]

Work on DoH emerged from broader concerns about cleartext DNS and pervasive monitoring, building on earlier privacy efforts such as query name minimization and DNS over TLS (DoT).[1] RFC 8484, published in 2018, specifies how traditional DNS “wire format” messages are carried over HTTPS, using the Web’s existing PKI and transport mechanisms.

The RFC is largely policy-neutral: it does not dictate which resolvers clients should use or how those resolvers are governed. Governance questions stem from deployment choices: who operates DoH resolvers, how clients are pointed at them, and how that interacts with current operational and regulatory expectations.

Deployment and Central Actors[edit | edit source]

DoH deployment has been driven mainly by browser vendors, public DNS operators, and some operating systems and mobile platforms. Mozilla Firefox was an early large-scale adopter, enabling DoH by default for many U.S. users and directing queries to a small group of “trusted recursive resolvers” (TRRs), initially with Cloudflare as the default.[3][2]

Google Chrome followed a different model, attempting to “upgrade” existing resolvers to DoH when possible, so that DNS traffic remains with the same provider but moves to HTTPS.[4] Public resolvers such as 1.1.1.1 (Cloudflare), Google Public DNS, Quad9 and others have exposed DoH endpoints as part of their service offerings.[2]

Measurements from operators and research groups, including APNIC, suggest that DoH adoption is significant but uneven: it is more visible in browser and mobile traffic than in traditional stub resolver deployments, and often coexists with classic DNS and DoT in the same network.[5]

Governance Debates[edit | edit source]

Centralization and Resolver Choice[edit | edit source]

One central concern is that application-controlled DoH can concentrate DNS queries in a small number of large public resolvers, shifting influence away from local ISP or enterprise resolvers. An IETF Internet-Draft on DoH implementation risks highlighted the possibility that default configurations in major browsers could lead to a small set of “super-resolvers” handling a large portion of global DNS traffic.[6]

The ICANN Security and Stability Advisory Committee (SSAC) discussed these issues in "SAC109: The Implications of DNS over HTTPS and DNS over TLS", observing that while encrypted DNS limits on-path monitoring, it simultaneously increases the importance of whoever operates the recursive resolver, since that entity still receives the full query stream.[7]

Content Filtering and Public Policy[edit | edit source]

DoH can bypass DNS-based filtering deployed by access providers, including parental controls and some forms of regulatory blocking. When browsers or applications direct DNS queries to external DoH resolvers, ISP-level policies applied at the traditional DNS layer may no longer be effective. The tension between user-controlled encrypted DNS and network-level filtering has been discussed in national policy debates, notably in the United Kingdom, and within the ICANN community.

"SAC109" and the later "SAC127: DNS Blocking Revisited" note that encrypted DNS makes it more difficult for third parties to observe or measure DNS-based blocking, and that some forms of blocking will move away from DNS to other layers (such as IP or URL blocking) as a result.[8]

DoH in context[edit | edit source]

Security agencies and enterprises have tended to favour a controlled deployment model for DoH and related encrypted DNS transports. Guidance from the U.S. National Security Agency (NSA) recommends that enterprises direct encrypted DNS to designated resolvers under organizational control, rather than allowing applications to choose arbitrary external DoH endpoints.[9]

In this view, DoH is a tool to protect DNS queries on untrusted networks and to support “protective DNS” services that block malicious domains, while still preserving visibility for security monitoring and incident response. Later NSA and CISA guidance on protective DNS treats DoH, DoT, and DNS over QUIC as interchangeable transports that can carry policy-enforced DNS traffic while providing confidentiality against external observers.[10]

The SSAC has analysed DoH, DoT and related work in SAC109, focusing on deployment models, resolver discovery, and the balance between privacy and operational visibility.[7] The (RSSAC) has considered how increasing use of encrypted DNS may affect query patterns seen at the root and the design of future measurement and reporting mechanisms.[11] Measurements by APNIC and others provide empirical data on where DoH is actually being used, informing assessments of its impact on operations and policy tools.[5]

See Also[edit | edit source]

References[edit | edit source]

  1. 1.0 1.1 P. Hoffman, P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, IETF, October 2018.
  2. 2.0 2.1 2.2 "DNS over HTTPS", Wikipedia (accessed 2025-11-25).
  3. Mozilla Support, "Firefox DNS over HTTPS" (accessed 2025-11-25).
  4. Congressional Research Service, "DNS over HTTPS—What Is It and Why Do People Care?", 16 October 2019.
  5. 5.0 5.1 APNIC Blog, "The prevalence of DNS over HTTPS", 13 September 2021.
  6. D. Livingood, "DNS over HTTPS (DoH) Implementation Risks & Issues" (Internet-Draft, 2019).
  7. 7.0 7.1 ICANN SSAC, "SAC109: The Implications of DNS over HTTPS and DNS over TLS", 12 March 2020.
  8. ICANN SSAC, "SAC127: DNS Blocking Revisited", 16 May 2025.
  9. NSA, "Adopting Encrypted DNS in Enterprise Environments", 14 January 2021.
  10. NSA & CISA, "Selecting a Protective DNS Service", April 2025.
  11. RSSAC, "RSSAC Examines Impact of Emerging Technologies on Root Server System and Identifies Future Challenges", 14 March 2023.

HTTP over Transport Layer Security (TLS), distinguishing secured traffic from insecure traffic by the use of a different server port (RFC 2818).

Request For Comments. Archival series dedicated to documenting Internet technical specifications, including general contributions from the Internet research and engineering community as well as standards documents (RFC Editor Model, Version 3).

X.509 Public Key Infrastructure for the Internet (RFC 5280).

Security and Stability Advisory Committee. Advises the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems (ICANN Bylaws).

Allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery (RFC 8446).

Root Server System Advisory Committee. Advises the ICANN community and Board on matters relating to the operation, administration, security, and integrity of the Internet's Root Server System (ICANN Bylaws).

Retrieved from "https://icannwiki.org/index.php?title=DNS_over_HTTPS&oldid=1398327"
Semantic properties for "DNS over HTTPS"
RDF feed