DNS over HTTPS (DoH) uses the HTTPS protocol for sending and retrieving encrypted DNS queries and responses. The DoH protocol has been published as a proposed standard by the IETF as RFC 8484.
DNS queries and responses have historically been sent as plaintext, potentially compromising the privacy of internet users – including visitors to encrypted HTTPS websites. DoH prevents potential attackers and/or government authorities from reading users’ DNS queries, and also buries DNS traffic on port
443 (the standard HTTPS port), where it is difficult to distinguish from other encrypted traffic.
DoH in Chrome and Firefox
Recent announcements by Google and Mozilla about their browser implementations have put DoH into the spotlight for privacy-seeking internet users:
- The Chromium Blog announced on September 10, 2019 that Chrome 78 will include an experiment that will use DoH if the user’s existing DNS provider is on a list of selected DoH-compatible providers included with the browser. If the user’s provider is not on the list, the browser will fall back to the plain-text DNS protocol.
- Mozilla announced on September 6, 2019 that they will be rolling out DoH as a default setting for its Firefox browser in the USA “starting in late September.” Mozilla’s plan has been criticized because, unlike Google’s implementation, Firefox will use Cloudflare’s DoH servers by default (although the user may manually specify another provider).
What About DNS over TLS?
DNS over TLS (DoT), published by the IETF in RFCs 7858 and 8310, is similar to DoH in that it encrypts DNS queries and responses; however, DoT operates over port
853 (as opposed to DoH’s port
443). In support of DoT over DoH, some network security experts argue that using a distinct port for DNS requests is essential for effective traffic inspection and control.