Network Security
DNS over HTTPS (DoH)
Also known as: DoH
Definition
A protocol that carries DNS queries and responses over an encrypted HTTPS connection, protecting them from eavesdropping and tampering on the local network.
DoH (RFC 8484) wraps standard DNS queries inside HTTPS requests sent to a DoH-capable resolver, typically on port 443. Because traffic looks like regular web traffic, it is hard to block selectively and is encrypted end-to-end between the client and resolver. This prevents on-path attackers, captive portals, or ISPs from observing or rewriting DNS lookups. DoH does not authenticate the data itself (that is DNSSEC's job) but it preserves query confidentiality. Enterprises sometimes resist DoH because it bypasses local DNS-based filtering and visibility; mitigations include enforcing a managed resolver, blocking known public DoH endpoints, or using a secure-DNS policy delivered via DDR.
Examples
- A browser is configured to use Cloudflare 1.1.1.1 over DoH, encrypting all DNS lookups regardless of the OS resolver.
- A mobile carrier cannot inject DNS-based ad redirects because the device resolves names via DoH.
Related terms
DNS over TLS (DoT)
DNS over TLS (DoT) — definition coming soon.
DNSSEC
A set of DNS extensions that cryptographically sign zone data so resolvers can verify the authenticity and integrity of DNS responses.
DNS Spoofing
An attack that injects falsified DNS responses to redirect victims from a legitimate domain to an attacker-controlled IP address.
HTTPS
HTTPS — definition coming soon.
TLS (Transport Layer Security)
TLS (Transport Layer Security) — definition coming soon.
Man-in-the-Middle Attack
An attack in which an adversary secretly relays or alters communications between two parties who believe they are talking directly to each other.