DNS over HTTPS (DoH) is a protocol for performing remote

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

(DNS) resolution via the

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to

encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

the data between the DoH client and the DoH-based

DNS resolver The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...

. By March 2018,

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

and the

Mozilla Foundation The Mozilla Foundation (stylized as moz://a) is an American non-profit organization that exists to support and collectively lead the open source Mozilla project. Founded in July 2003, the organization sets the policies that govern development, ...

had started testing versions of DNS over HTTPS. In February 2020,

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...

switched to DNS over HTTPS by default for users in the United States. An alternative to DoH is the

DNS over TLS DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by prevent ...

(DoT) protocol, a similar standard for encrypting

DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

queries, differing only in the methods used for encryption and delivery. Based on privacy and security, whether which protocol is superior is a matter of controversial debate; while others argue the merits of either depend on the specific use case.

Technical details

DoH is a proposed standard, published as RFC 8484 (October 2018) by the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

. It uses

HTTP/2 HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working ...

and

, and supports the ''wire format'' DNS response data, as returned in existing UDP responses, in an HTTPS payload with the

MIME type A media type (also known as a MIME type) is a two-part identifier for file formats and format contents transmitted on the Internet. The Internet Assigned Numbers Authority, Internet Assigned Numbers Authority (IANA) is the official authority for t ...

''application/dns-message''. If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance. DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it, the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how best to deploy DoH and is looking to set up a working group
Adaptive DNS Discovery (ADD)
to do this work and develop a consensus. In addition, other industry working groups such as th
Encrypted DNS Deployment Initiative
have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet's critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS". Since DoH cannot be used under some circumstances, like captive portals, web browsers like Firefox can be configured to fallback to insecure DNS.

Oblivious DNS-over-HTTPS

Oblivious DoH is an

Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...

proposing a protocol extension to ensure no single DoH server is aware of both the client's IP address and their message contents. Oblivious DoH was originally developed as Oblivious DNS (ODNS) by researchers at

Princeton University Princeton University is a private university, private research university in Princeton, New Jersey. Founded in 1746 in Elizabeth, New Jersey, Elizabeth as the College of New Jersey, Princeton is the List of Colonial Colleges, fourth-oldest ins ...

and the

University of Chicago The University of Chicago (UChicago, Chicago, U of C, or UChi) is a private research university in Chicago, Illinois. Its main campus is located in Chicago's Hyde Park neighborhood. The University of Chicago is consistently ranked among the b ...

as an extension to unencrypted DNS, before DoH itself was standardized and widely deployed. Apple and Cloudflare subsequently deployed the technology in the context of DoH, as Oblivious DoH (ODoH). In ODoH and ODNS, all DNS requests and responses routed via a proxy, hiding clients' addresses from the resolver. Requests are encrypted to hide their contents from the proxy, and only the resolver can decrypt the request. Thus, the proxy knows the client address but not the request, and the resolver knows the request but not the client address, preventing the two client address being linked to the query, unless both servers collude.

Deployment scenarios

DoH is used for recursive DNS resolution by DNS resolvers. Resolvers (''DoH clients'') must have access to a DoH server hosting a query endpoint. Three usage scenarios are common: * Using a DoH implementation within an application: Some browsers have a built-in DoH implementation and can thus perform queries by bypassing the operating system's DNS functionality. A drawback is that an application may not inform the user if it skips DoH querying, either by misconfiguration or lack of support for DoH. * Installing a DoH proxy on the name server in the local network: In this scenario client systems continue to use traditional (port 53 or 853) DNS to query the name server in the local network, which will then gather the necessary replies via DoH by reaching DoH-servers in the Internet. This method is transparent to the end user. * Installing a DoH proxy on a local system: In this scenario, operating systems are configured to query a locally running DoH proxy. In contrast to the previously mentioned method, the proxy needs to be installed on each system wishing to use DoH, which might require a lot of effort in larger environments.

Software support

Operating systems

Apple

Apple's

iOS 14 iOS 14 is the fourteenth major release of the iOS mobile operating system developed by Apple Inc. for their iPhone and iPod Touch lines. Announced at the company's Worldwide Developers Conference on June 22, 2020 as the successor to iOS 13 ...

and

macOS 11 macOS Big Sur (version 11) is the seventeenth major release of macOS, Apple Inc.'s operating system for Macintosh computers. It was announced at Apple's Worldwide Developers Conference (WWDC) on June 22, 2020, and was released to the public ...

released in late 2020 support both DoH and DoT protocols.

Windows

In November 2019,

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

announced plans to implement support for encrypted DNS protocols in

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

, beginning with DoH. In May 2020, Microsoft released Windows 10 Insider Preview Build 19628 that included initial support for DoH along with instructions on how to enable it via

registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...

and

command line interface A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...

. Windows 10 Insider Preview Build 20185 added graphical user interface for specifying a DoH resolver. DoH support is not included in Windows 10 21H2.

Windows 11 Windows 11 is the latest major release of Microsoft's Windows NT operating system, released in October 2021. It is a free upgrade to its predecessor, Windows 10 (2015), and is available for any Windows 10 devices that meet the new Windows 11 ...

has DoH support.

Recursive DNS resolvers

BIND

BIND 9, an open source DNS resolver from

Internet Systems Consortium Internet Systems Consortium, Inc., also known as ISC, is a Delaware-registered, 501(c)(3) non-profit corporation that supports the infrastructure of the universal, self-organizing Internet by developing and maintaining core production-quality so ...

added native support for DoH in version 9.17.10.

PowerDNS

DNSdist, an open source DNS proxy/load balancer from

PowerDNS PowerDNS is a DNS server program, written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different ''backends'' ranging from simple BIND style zonefiles to relational databases and lo ...

, added native support for DoH in version 1.4.0 in April 2019.

Unbound

Unbound, an

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

DNS resolver created by

NLnet Labs NLnet Labs is a network research laboratory founded in Amsterdam in 1999 by the board members of NLnet. They develop DNS-related software, such as NSD, Unbound, OpenDNSSEC and getDNS. History The roots of NLnet Labs have their origins in th ...

, has supported DoH since version 1.12.0, released in October 2020. It first implemented support for

encryption using the alternative DoT protocol much earlier, starting with version 1.4.14, released in December 2011. Unbound runs on most

operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also inc ...

, including distributions of

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

MacOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

, and

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

Web browsers

Google Chrome

DNS over HTTPS is available in

Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...

83 for Windows, Linux, and macOS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface. In September 2020, Google Chrome for Android began staged rollout of DNS over HTTPS. Users can configure a custom resolver or disable DNS over HTTPS in settings. Google Chrome has 5 DNS over HTTPS providers preconfigured which are

Google Public DNS Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster ...

, Cloudflare 1.1.1.1, Quad 9.9.9.9, NextDNS, and

CleanBrowsing CleanBrowsing is a free public DNS resolver with content filtering, founded by Daniel B. Cid and Tony Perez. It supports DNS TLS over port 853 and DNS over HTTP over port 443 in addition to the standard DNS over port 53. CleanBrowsing filters can be ...

Microsoft Edge

Microsoft Edge Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...

supports DNS over HTTPS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Edge will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface.

Mozilla Firefox

DNS over HTTPS information on Firefox 89 screenshot

In 2018,

Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, wi ...

partnered with

Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...

to deliver DoH for

users that enable it (known as Trusted Recursive Resolver). On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare's resolver by default.

Opera

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a librett ...

supports DoH, configurable via the browser settings page. By default, DNS queries are sent to Cloudflare servers.

Public DNS servers

DNS over HTTPS server implementations are already available free of charge by some public DNS providers.

Implementation considerations

Many issues with how to properly deploy DoH are still being resolved by the internet community including, but not limited to: * Stopping third-parties from analyzing DNS traffic for security purposes * Disruption of

-level parental controls and content filters * Split DNS in enterprise networks * CDN localization

Analysis of DNS traffic for security purposes

DoH can impede analysis and monitoring of DNS traffic for cybersecurity purposes; the 2019

DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host A ...

worm Godlua used DoH to mask connections to its command-and-control server. In January 2021,

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

warned enterprises against using external DoH resolvers because they prevent DNS query filtering, inspection, and audit. Instead, NSA recommends configuring enterprise-owned DoH resolvers and blocking all known external DoH resolvers.

Disruption of content filters

DoH has been used to bypass

parental controls Parental controls are features which may be included in digital television services, computers and video games, mobile devices and software that allow parents to restrict the access of content to their children. These controls were created to ...

which operate at the (unencrypted) standard DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoH by default due to this. However, there are DNS providers that offer filtering and parental controls along with support for DoH by operating DoH servers. The Internet Service Providers Association (ISPA)—a trade association representing British ISPs—and the also British body

Internet Watch Foundation The Internet Watch Foundation (IWF) is a registered charity based in Cambridge, England. It states that its remit is "to minimise the availability of online sexual abuse content, specifically child sexual abuse images and videos hosted anywhe ...

have criticized

, developer of the

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...

, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU

Directive on Copyright in the Digital Single Market The Directive on Copyright in the Digital Single Market, formally the Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96 ...

, and

Donald Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who served as the 45th president of the United States from 2017 to 2021. Trump graduated from the Wharton School of the University of Pe ...

), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure". In response to the criticism, the ISPA apologized and withdrew the nomination. Mozilla subsequently stated that DoH will not be used by default in the British market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens".

References

{{Reflist

External links

DNS Privacy Project: dnsprivacy.org

DNS over HTTPS Implementations

A cartoon intro to DNS over HTTPS

DNS over HTTPS
(DoH) Considerations for Operator Networks] (draft, expired on 12 March 2020)
Privacy Tools - Encrypted DNS Resolver
Application layer protocols Web security exploits Domain Name System Internet protocols

Technical details

Oblivious DNS-over-HTTPS

Deployment scenarios

Software support

Operating systems

Apple

Windows

Recursive DNS resolvers

BIND

PowerDNS

Unbound

Web browsers

Google Chrome

Microsoft Edge

Mozilla Firefox

Opera

Public DNS servers

Implementation considerations

Analysis of DNS traffic for security purposes

Disruption of content filters

See also

References

External links