securitynetwork-plusBeginner19 min read

What Is DNS over HTTPS? Security Definition

Also known as: DNS over HTTPS, DoH, DNS encryption, Network+ DNS, Security+ DNS

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

DNS over HTTPS is a way to look up website addresses securely. Instead of sending your DNS requests in plain text where anyone can see them, it wraps them in the same encryption used for secure websites. This keeps your browsing activity private and stops attackers from redirecting you to fake websites.

Must Know for Exams

DNS over HTTPS appears in both CompTIA Network+ and Security+ certification exams. On the Network+ exam, DoH is typically covered under the domain of network security and network services. You need to understand that DoH encrypts DNS queries using HTTPS to provide confidentiality. The exam may ask you to compare DoH with traditional DNS or with DNS over TLS. Network+ exam objectives include understanding encryption protocols and their impact on network traffic, and DoH is a modern example of this.

On the CompTIA Security+ exam, DoH is relevant to topics such as securing network communications, encryption, and privacy controls. Security+ exam objectives include knowledge of secure protocols, including DNSSEC, DoH, and DoT. You may be asked to identify the protocol that encrypts DNS traffic over port 443, or to choose the best solution for preventing DNS eavesdropping on a public Wi-Fi network. DoH is also related to the concept of data-in-transit encryption and the principle of least privilege.

Both exams may present scenario-based questions where you are asked to recommend a security measure to protect DNS queries from being intercepted. Understanding the difference between DoH and DoT is critical. For example, DoH uses port 443 and looks like regular web traffic, making it harder to block. DoT uses a dedicated port 853 and is easier to manage on a corporate firewall. The exams test your ability to choose the right protocol for a given situation, such as a remote worker using public Wi-Fi versus a corporate network with strict content filtering.

Simple Meaning

Imagine you are sending a letter through the postal service. In the old way, your letter is in a clear envelope, so any postal worker, nosey neighbor, or even a thief along the route can read the address and see where you are sending it. They could even change the address on the envelope to send your letter to a different house. That is how traditional DNS works. Your device sends a request to a DNS server asking for the IP address of a website like www.example.com, and that request is sent in plain text over the network. Anyone on that network can see which websites you are visiting, and a malicious actor could redirect your request to a fake website.

Now, with DNS over HTTPS, the request is put inside a sealed envelope. That sealed envelope is the encryption provided by HTTPS, the same technology that protects your online banking and shopping. Your DNS query is sent securely to the DNS server, and the response comes back encrypted as well. This means your internet service provider, a hacker on a public Wi-Fi network, or anyone else cannot see which websites you are trying to visit. They cannot modify your request either. DoH is like sending your letter in a locked, armored box that only the recipient can open. It ensures privacy and integrity for one of the most fundamental services on the internet.

Think of DNS as the phonebook of the internet. When you want to call a friend, you look up their number in the phonebook. But if someone else looks over your shoulder and sees which number you are calling, they know who you are contacting. With DoH, you are using a private phonebook that only you can see. The request is encrypted from the moment it leaves your device until it reaches the secure DNS resolver, and the response is encrypted on its way back. This is a simple but powerful tool for protecting your online privacy.

Full Technical Definition

DNS over HTTPS (DoH) is a network protocol defined in RFC 8484 that performs DNS resolution via the HTTPS protocol. Traditionally, DNS queries are sent over UDP or TCP on port 53 without encryption, making them vulnerable to eavesdropping and DNS spoofing. DoH encrypts the entire DNS query and response within an HTTPS session, typically using TLS over port 443. This means the DNS traffic looks like regular web traffic to network observers.

From a technical perspective, a DoH client (such as a web browser or operating system) sends a DNS query as an HTTP POST or GET request to a DoH-compatible DNS resolver. The query is formatted according to the DNS wire format and is included in the HTTP request body. The server responds with a DNS response in the same wire format, wrapped in an HTTP response. This exchange occurs over a TLS-encrypted connection, ensuring confidentiality and integrity.

DoH can be implemented at the application level, for example within a web browser like Firefox or Chrome. These browsers can be configured to use a specific DoH resolver, such as Cloudflare's 1.1.1.1 or Google's 8.8.8.8. This bypasses the system's default DNS resolver, which may be provided by the ISP or local network. System-wide DoH implementation is also possible through certain operating system configurations or third-party software.

The use of standard HTTPS port 443 means DoH is often difficult to block or monitor using traditional network filtering tools, because it blends in with other web traffic. This has implications for network security monitoring and content filtering policies in enterprise environments. Some organizations prefer DNS over TLS (RFC 7858), which uses a dedicated port (853) and is easier to manage centrally.

DoH does not change the underlying DNS resolution process. It still uses the same hierarchical DNS infrastructure, root servers, TLD servers, and authoritative nameservers. The encryption only applies to the communication between the client and the recursive resolver. The recursive resolver still communicates with authoritative servers in plain text unless they also support encryption. This is an important point: DoH protects your privacy from your local network and ISP, but does not encrypt the entire DNS lookup chain from end to end.

Real-Life Example

Think of DNS over HTTPS like using a private mailbox at a secure post office. In the traditional DNS system, you hand your letter (your request for a website address) to any postman that comes by, and the letter is written on a postcard. Anyone who sees that postcard knows exactly where you want to go. The postman could also scribble a different address on the postcard and send you somewhere else entirely. This is how plain DNS works: it is visible and easily tampered with.

Now, imagine you have a special locked mailbox that only you and the post office manager have the key to. You write your request on a piece of paper, put it in a sealed envelope, and place it in the locked mailbox. The post office manager collects it, opens it with their key, reads your request, and writes the correct address on the envelope. Then, they put that response back in a sealed envelope and place it in the locked mailbox for you to retrieve. No one else can see what you asked for, and no one can change the response.

This is exactly how DoH works. Your computer (the locked mailbox) sends an encrypted request to the DNS resolver (the post office manager) over HTTPS. The resolver decrypts the request, performs the DNS lookup, and sends back an encrypted response. Your ISP or anyone on the network can see that you are sending data to a secure website on port 443, but they cannot see the DNS queries inside. The encryption ensures privacy and prevents tampering.

Why This Term Matters

DNS over HTTPS matters because it addresses a fundamental privacy and security flaw in the original DNS protocol. Every time you visit a website, your device sends a DNS query. Without encryption, those queries are sent in plain text across the network. Your internet service provider can log every site you visit. On public Wi-Fi, a hacker can capture your DNS traffic and see your browsing history. Worse, an attacker could perform DNS spoofing, where they intercept your query and send back a fake IP address, redirecting you to a malicious website that looks like your bank or email provider.

For IT professionals, deploying DoH is a straightforward way to enhance user privacy and security. In corporate environments, however, DoH can create challenges for DNS-level security policies. Many organizations use DNS filtering to block access to malicious domains. If employees use browsers with DoH enabled and set to external resolvers, they bypass these corporate DNS filters. This is why network administrators need to understand DoH and manage it appropriately, either by blocking DoH traffic or by deploying a corporate DoH resolver that integrates with existing security infrastructure.

From a system administration perspective, DoH is increasingly supported by major operating systems and browsers. Windows 10 and 11 allow system-wide DoH configuration. Browsers like Firefox and Chrome have built-in DoH features. As more devices adopt DoH, understanding how it works and how to configure it becomes essential for troubleshooting network connectivity and security issues. It also impacts network monitoring tools that rely on DNS traffic analysis, as encrypted DNS traffic is no longer visible in the same way.

How It Appears in Exam Questions

In certification exams, DNS over HTTPS appears mostly in scenario-based and conceptual questions. You might see a scenario where a user is on a public Wi-Fi network and is concerned about someone intercepting their DNS traffic. The question asks what protocol could be used to encrypt DNS queries. The correct answer would be DNS over HTTPS or DNS over TLS, depending on the specific details given.

Another common question pattern involves network monitoring. A network administrator notices that DNS traffic is no longer visible in their logs even though users are still accessing websites. The question asks why this might happen. The answer could be that users have enabled DNS over HTTPS in their browsers, encrypting the DNS queries and preventing the network monitoring tool from reading them.

Configuration questions may ask you to identify which port DoH uses. For example, the question might list several ports and ask which one is used by DNS over HTTPS. The correct answer is port 443. You may also be asked to compare DoH and DoT, either by identifying their port numbers or by explaining the key difference regarding how they handle traffic visibility on the network.

Troubleshooting questions might involve a user who cannot access certain websites after enabling DoH. The question could ask you to identify the problem, such as a misconfigured DoH resolver or a firewall blocking HTTPS connections to external DNS providers. You would need to understand that some networks block all external DNS traffic to enforce their own DNS policies, and DoH can bypass this, leading to connectivity issues.

Practise DNS over HTTPS Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small business owner named Maria runs a coffee shop that offers free Wi-Fi to customers. She wants to make sure her customers can browse safely, but she is worried about someone on the same network intercepting their DNS queries to see which websites they visit. Maria decides to configure the network so that all DNS queries are encrypted using DNS over HTTPS.

She sets up a local DoH resolver on a small server in the shop and configures the router to point all DNS traffic to this local resolver. The customers' browsers will automatically use DoH when available, ensuring their DNS queries are encrypted from their devices to Maria's resolver. This protects customer privacy and reduces the risk of DNS spoofing attacks on the public Wi-Fi.

However, Maria also realizes that some customers might have browsers that use a different DoH resolver, like Cloudflare's, which would bypass her local filtering. She decides to block external DNS traffic on the firewall except for her own DoH server, ensuring all DNS queries go through her secure resolver.

Common Mistakes

Confusing DNS over HTTPS (DoH) with DNS over TLS (DoT) by thinking they are the same protocol.

DoH and DoT both encrypt DNS queries, but they use different ports and have different characteristics. DoH uses port 443 and blends with HTTPS traffic, while DoT uses port 853 and is dedicated to DNS encryption. They are not interchangeable in all scenarios.

Remember: DoH = HTTPS port 443, DoT = dedicated port 853. DoH is harder to block because it looks like web traffic, while DoT is easier to manage in corporate firewalls.

Thinking DNS over HTTPS encrypts the entire DNS lookup from client to authoritative server.

DoH only encrypts the connection between the client and the recursive resolver. The recursive resolver still communicates with authoritative servers in plain text unless those servers also support encrypted DNS. The encryption is not end-to-end.

Understand that DoH protects your query from prying eyes on your local network and ISP, but the resolver still sends unencrypted queries further upstream.

Believing that DNS over HTTPS is only for web browsers and cannot be used system-wide.

Modern operating systems like Windows 10 and 11, as well as Linux distributions, support system-wide DoH configuration. This means all applications on the device can use encrypted DNS, not just the browser.

Check your operating system's network settings to enable or disable system-wide DoH. It is not limited to browsers alone.

Assuming DNS over HTTPS prevents all forms of DNS tracking and monitoring.

While DoH prevents local eavesdropping and tampering, the DoH resolver itself can still log all your DNS queries. For example, if you use a public resolver like Cloudflare or Google, they have access to your browsing history. DoH does not inherently provide anonymity.

Remember that DoH protects against local threats but not against the resolver itself. Choose a trustworthy resolver if privacy is a concern.

Exam Trap — Don't Get Fooled

The exam question might ask: 'Which protocol encrypts DNS traffic using port 443?' and present both DNS over HTTPS and DNS over TLS as options. Some learners choose DNS over TLS because they know it encrypts DNS, but they forget that DoT uses port 853, not 443.

Memorize the port numbers specifically. DoH uses port 443 (HTTPS), and DoT uses port 853. When you see port 443 in a question about DNS encryption, the answer is definitely DNS over HTTPS.

Practice this distinction until it becomes automatic.

Commonly Confused With

DNS over HTTPSvsDNS over TLS (DoT)

DNS over TLS also encrypts DNS queries, but it uses a dedicated port 853 rather than port 443. DoH blends with regular HTTPS traffic, making it harder to block or monitor, while DoT traffic is easily identifiable on the network. They are similar but not identical.

If a company wants to encrypt DNS without breaking existing firewall rules, they might prefer DoT because they can create a specific rule for port 853. If they want to hide DNS traffic from network monitoring, they would use DoH on port 443.

DNS over HTTPSvsDNSSEC (DNS Security Extensions)

DNSSEC adds digital signatures to DNS records to ensure authenticity and integrity, but it does not provide encryption. It prevents DNS spoofing by verifying that the response comes from an authoritative source. DoH provides confidentiality but does not inherently verify the authenticity of the DNS data.

DNSSEC is like having a signed document that you can verify came from the correct person. DoH is like putting the document in a sealed envelope. They solve different problems: one for verification, one for privacy.

DNS over HTTPSvsHTTPS (Hypertext Transfer Protocol Secure)

HTTPS is the protocol used to encrypt web traffic between a browser and a web server for secure web browsing. DNS over HTTPS uses HTTPS as a transport layer to encrypt DNS queries, but the goal is different. HTTPS encrypts website data, while DoH encrypts the lookup of website addresses.

When you visit a secure website, HTTPS protects the content of the page. When your browser uses DoH, it protects the question 'Where is the website?' before the connection is even made. They are related but distinct.

Step-by-Step Breakdown

1

User initiates a website request

When you type a domain like www.example.com into your browser, your device needs to find the IP address of that website. This starts the DNS resolution process.

2

Device checks local cache

Your device first checks its local DNS cache to see if it already has the IP address for that domain. If it does, the process stops here. If not, it sends a DNS query.

3

Query is wrapped in HTTPS

If DNS over HTTPS is configured, the DNS query is not sent in plain text. Instead, it is formatted according to the DNS wire format and placed inside an HTTPS request. This means it is encrypted using TLS.

4

Query is sent to DoH resolver

The encrypted HTTPS request is sent to a DoH-compatible recursive resolver, such as 1.1.1.1 or 8.8.8.8, over port 443. The request looks like regular HTTPS traffic to network observers.

5

Resolver decrypts and processes query

The DoH resolver receives the request, decrypts it using TLS, and reads the DNS query. It then performs the standard DNS resolution process, possibly contacting other DNS servers if needed.

6

Resolver sends encrypted response

The resolver wraps the DNS response (the IP address and other records) in an HTTPS response and sends it back to your device over the same encrypted connection.

7

Device decrypts and uses response

Your browser or operating system decrypts the HTTPS response, extracts the DNS data, and uses the IP address to connect to the website. The entire process is transparent to the user.

Practical Mini-Lesson

DNS over HTTPS is a practical tool that IT professionals must understand for both security and troubleshooting. To configure DoH on a Windows 10 or 11 system, go to Settings, then Network and Internet, then Ethernet or Wi-Fi, and click Properties. Under DNS server assignment, click Edit, choose Manual, and enable IPv4. Enter a preferred DNS server like 1.1.1.1 and specify that you want to use encrypted DNS with a template like 1.1.1.1. On a web browser like Firefox, you can enable DoH in the Network Settings area by selecting 'Increase Tracking Protection' and using Cloudflare or a custom provider.

In practice, what can go wrong? If a network enforces DNS filtering through a local DNS server, enabling DoH in browsers can bypass those filters. This is a common issue in schools and businesses. A user might complain that they cannot access a website, but the real issue is that their browser's DoH is sending queries to an external resolver that is blocked by the firewall. The solution is either to disable DoH in the browser or to set up a corporate DoH resolver that enforces the same security policies.

Another practical consideration is network monitoring. Many security tools rely on analyzing DNS traffic to detect malware, botnets, and phishing attempts. DoH hides this traffic from those tools, so security teams need to implement alternative monitoring methods, such as inspecting HTTPS traffic with a proxy or using TLS interception. This is a significant operational challenge in enterprise environments.

For professionals studying for Network+ or Security+ exams, remember that DoH is one of several methods to secure DNS. Compare it with DoT and DNSSEC. Understand the tradeoffs: DoH provides privacy but complicates network management; DoT is easier to filter but more visible; DNSSEC provides integrity but not privacy. Being able to recommend the right solution for a given scenario is a key skill tested on certifications. Also, be aware that DoH is increasingly adopted by major platforms, so it is no longer an edge case but a mainstream technology.

Memory Tip

Think 'DoH for 443 Hiding' DoH uses port 443 to hide DNS in regular web traffic.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Does DNS over HTTPS slow down my internet connection?

DNS over HTTPS adds a small amount of overhead due to encryption, but in most cases the difference is negligible. The encryption and decryption take milliseconds. Many users actually experience faster lookups because DoH resolvers like Cloudflare or Google are often faster than ISP resolvers.

Can my ISP still see which websites I visit if I use DNS over HTTPS?

Your ISP can see the IP addresses you connect to, which can often reveal the websites you visit, especially if the website uses a unique IP address. DoH hides the DNS queries themselves, but not the subsequent traffic to those IP addresses. For full privacy, you would need a VPN or Tor.

Is DNS over HTTPS enabled by default on all browsers?

No, it depends on the browser and your location. Firefox and Chrome offer DoH as an option, and it may be enabled by default for some users based on their region or OS settings. Windows 11 also supports system-wide DoH configuration.

What is the difference between DNS over HTTPS and a VPN?

A VPN encrypts all your internet traffic, including DNS queries, and routes it through a remote server. DoH only encrypts your DNS queries. A VPN provides broader privacy and can mask your IP address, while DoH is a lighter solution focused only on DNS privacy.

Can DNS over HTTPS be blocked by network administrators?

Yes, but it is difficult because DoH uses port 443 and looks like regular HTTPS traffic. Administrators can block known DoH server IP addresses or use deep packet inspection to identify DoH traffic. Some organizations block all outbound DNS traffic except to their own DNS servers.

Is DNS over HTTPS the same as secure DNS?

Secure DNS is a broad term that can refer to several technologies including DNSSEC, DoH, and DoT. DoH is one specific method to secure DNS by encrypting queries, but it does not provide authentication like DNSSEC does.

Summary

DNS over HTTPS is a vital protocol that encrypts DNS queries to protect user privacy and prevent tampering. It wraps traditional DNS requests inside HTTPS traffic on port 443, making them indistinguishable from other secure web traffic. For certification exams like CompTIA Network+ and Security+, you need to understand how DoH works, its port number, how it compares with DNS over TLS and DNSSEC, and its impact on network security and monitoring.

DoH is not a complete privacy solution because it only encrypts the client-to-resolver leg, and the resolver can still log data. However, it is a powerful tool against local eavesdropping and DNS spoofing. Practical knowledge includes configuring DoH on browsers and operating systems, and troubleshooting issues that arise when DoH bypasses enterprise DNS filtering.

Remember the key distinction: DoH uses port 443, DoT uses port 853. Master these details to confidently answer exam questions and apply this knowledge in real IT work.