Network+Security+Intermediate13 min read

What Is DoH? Security Definition

Also known as: DNS over HTTPS, DNS-over-HTTPS

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

DNS over HTTPS (DoH) is a protocol that performs DNS resolution by sending queries and responses over an encrypted HTTPS connection rather than plaintext UDP or TCP. Standard DNS (port 53) sends queries in cleartext, allowing any intermediary to see which domains a user is visiting and even tamper with responses. DoH wraps DNS messages inside HTTP requests using TLS encryption (typically on port 443), so the DNS traffic is indistinguishable from regular web traffic. This provides confidentiality and integrity for DNS lookups, protecting against on-path attacks, DNS spoofing, and surveillance. DoH is defined in RFC 8484 and is increasingly supported by modern operating systems, browsers, and DNS providers like Cloudflare (1.1.1.1) and Google (8.8.8.8). Its primary purpose is to enhance user privacy and security, though it introduces challenges for network administrators who rely on DNS visibility for content filtering or monitoring.

Must Know for Exams

On the Network+ (N10-008) and Security+ (SY0-601) exams, DoH is tested in several ways. First, you must know the port and protocol: DoH uses TCP port 443 (HTTPS), not port 53. Second, understand the difference between DoH and DNS over TLS (DoT): DoT uses a dedicated port (853) and is easier to block, while DoH hides DNS traffic within normal HTTPS.

Third, exam questions often ask about the security benefits: DoH provides confidentiality and integrity for DNS queries, preventing eavesdropping and spoofing. Fourth, you may be asked about the impact on network monitoring: DoH can bypass content filters and parental controls that rely on inspecting DNS traffic. Fifth, know that DoH does not encrypt the destination IP address or SNI, so some metadata can still be observed.

Sixth, be aware that DoH is defined in RFC 8484. Seventh, understand that DoH works at the application layer (Layer 7). Eighth, know that browsers like Firefox and Chrome have built-in DoH support.

Ninth, recognize that DoH can be used with DNSSEC for additional validation. Tenth, be prepared for questions comparing DoH to traditional DNS, especially regarding privacy vs. network control trade-offs.

Simple Meaning

Imagine you live in a small town where everyone knows each other, and when you ask for directions to a friend's house, you shout the address across the street. Anyone passing by can hear where you're going, and a troublemaker could even yell back a fake address to send you somewhere else. DoH is like calling that friend on a private, encrypted phone line instead of shouting.

You dial a secure number, whisper the address, and only your friend hears it. Even if someone is listening on the line, they only hear garbled noise. This way, your destination stays private, and you can be sure the directions you receive are genuine.

DoH turns public, shouty DNS queries into private, secure phone calls.

Full Technical Definition

DNS over HTTPS (DoH) is a network protocol defined in RFC 8484 (November 2018) that encodes DNS queries and responses in HTTP messages over TLS (HTTPS). It operates at the Application Layer (Layer 7) of the OSI model, using the existing HTTPS infrastructure. Mechanically, a DoH client (e.

g., a browser or OS resolver) sends an HTTP POST or GET request to a DoH server endpoint (e.g., https://dns.cloudflare.com/dns-query). The DNS message is placed in the HTTP body (for POST) or encoded as a base64url parameter (for GET).

The Content-Type is application/dns-message. The server responds with the DNS response in the HTTP response body. The entire exchange is encrypted by TLS, typically on TCP port 443.

This contrasts with traditional DNS, which uses UDP port 53 (or TCP for large responses) without encryption. DoH provides confidentiality (no third party can see the query), integrity (response cannot be tampered without detection), and authentication (server identity is verified via TLS certificates). However, DoH does not encrypt the destination IP address of the DoH server itself, nor the SNI (Server Name Indication) field in the TLS handshake, so some metadata may still leak.

Alternatives include DNS over TLS (DoT, RFC 7858) which uses a dedicated port (853) and is easier to block, and DNSCrypt (not an IETF standard). DoH is often used alongside DNSSEC for end-to-end validation, though DoH alone does not provide data origin authentication.

Real-Life Example

At a university library, students connect to the campus Wi-Fi. The network administrator has configured a firewall to log all DNS queries for security monitoring. One student, Alice, uses a browser that has DoH enabled by default (e.

g., Firefox with Cloudflare as the provider). When Alice types 'example.com', her browser does not send a plaintext DNS query to the campus DNS server. Instead, it opens a TLS connection to 1.

1.1.1 on port 443 and sends an HTTPS POST containing the DNS query for 'example.com'. The campus firewall sees only encrypted traffic to 1.1.1.1 on port 443, indistinguishable from any other HTTPS request.

The DNS response from Cloudflare is also encrypted. Alice's lookup is private from the network. However, the network's content filter, which relied on blocking DNS responses for known malicious domains, is bypassed.

The administrator later notices increased HTTPS traffic to 1.1.1.1 and realizes DoH is in use. They decide to block all outbound traffic to public DNS resolvers except the campus one, but this also blocks legitimate HTTPS traffic to those IPs, causing a policy debate about privacy vs.

security.

Why This Term Matters

DoH matters because it fundamentally changes the security and privacy landscape of DNS, which is a core network service. IT professionals must understand DoH to troubleshoot connectivity issues (e.g.

, when a firewall blocks port 443 to external resolvers), to configure network policies (e.g., allow or block DoH), and to maintain visibility for security monitoring. Without this knowledge, an admin might be puzzled why DNS filtering stops working or why users can bypass content restrictions.

In exams, DoH appears as a contrast to traditional DNS and DoT, testing your grasp of encryption, ports, and privacy implications. Mastering DoH demonstrates a modern understanding of network security and prepares you for real-world scenarios where users and applications increasingly adopt encrypted DNS.

How It Appears in Exam Questions

A common question pattern is: 'Which of the following protocols encrypts DNS queries using HTTPS?' The correct answer is DoH, with distractors like DoT (uses TLS but on port 853), DNSSEC (signs responses but doesn't encrypt), or IPsec (encrypts at a different layer). Another pattern: 'A network administrator notices that DNS filtering is no longer working.

Users can still access the internet. What is the most likely cause?' The answer is that users have enabled DoH in their browsers, bypassing the local DNS server. Wrong answers might include 'DNS cache poisoning' or 'DNSSEC validation failure.'

A third pattern: 'Which port does DNS over HTTPS use?' Options include 53, 443, 853, and 80. The correct answer is 443. A fourth pattern: 'Which of the following best describes the security benefit of DoH compared to traditional DNS?'

Correct answer: 'It encrypts the DNS query and response.' Wrong answers: 'It authenticates the DNS server' (that's DNSSEC) or 'It hides the destination IP address' (it doesn't).

Practise DoH Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

1. Alice opens her Firefox browser, which has DoH enabled with Cloudflare's resolver (1.1.1.1). 2. She types 'www.example.com' in the address bar. 3. Firefox checks its cache; no entry found.

4. Firefox initiates a TLS handshake with 1.1.1.1 on port 443. 5. After the TLS session is established, Firefox sends an HTTP POST request to https://1.1.1.1/dns-query with the DNS query for 'www.

example.com' in the body, using Content-Type: application/dns-message. 6. Cloudflare's server receives the request, decrypts it, performs the DNS lookup (or uses its cache), and sends back an HTTP response containing the IP address (93.

184.216.34) in the body, encrypted over TLS. 7. Firefox receives the response, extracts the IP, and connects to the web server. 8. The entire DNS exchange is encrypted, so Alice's ISP cannot see that she visited example.

com.

Common Mistakes

DoH uses port 853 like DNS over TLS.

DoT uses port 853; DoH uses port 443 (HTTPS). Confusing the two is a common error because both encrypt DNS, but they use different ports and transport mechanisms.

Remember: DoH = 443 (HTTPS), DoT = 853 (dedicated TLS).

DoH provides complete anonymity because it encrypts everything.

DoH encrypts the DNS query and response, but the destination IP of the DoH server and the SNI field in the TLS handshake can still be observed, revealing that DoH is being used and possibly the server provider.

DoH encrypts the 'what' (domain name) but not the 'who' (server IP) or 'that' (DoH is used).

DoH is the same as DNSSEC.

DNSSEC provides data origin authentication and integrity for DNS responses using digital signatures, but it does not encrypt queries. DoH encrypts the entire exchange but does not inherently validate the authenticity of the response (though they can be used together).

DoH = encryption (privacy); DNSSEC = signatures (authenticity).

Exam Trap — Don't Get Fooled

{"trap":"The most dangerous trap is selecting 'DNS over TLS (DoT)' when the question asks for 'DNS over HTTPS (DoH)' because both encrypt DNS, but DoT uses a dedicated port (853) while DoH uses port 443. Candidates see 'encrypted DNS' and pick DoT without reading the 'HTTPS' part.","why_learners_choose_it":"Learners often memorize that 'DNS over TLS' is the encrypted DNS protocol and forget that DoH is a separate standard.

The similarity in acronyms (DoH vs DoT) and the shared goal of encryption cause confusion. The question may mention 'port 443' or 'HTTPS' but the candidate glosses over it.","how_to_avoid_it":"When you see 'encrypted DNS' in a question, immediately check for the port or protocol mentioned.

If it says 'HTTPS' or 'port 443', the answer is DoH. If it says 'TLS' or 'port 853', it's DoT. Never assume 'encrypted DNS' automatically means DoT."

Commonly Confused With

DoHvsDNS over TLS (DoT)

DoT uses a dedicated port (853) and a TLS connection specifically for DNS, making it easier to identify and block. DoH uses port 443 and HTTP, blending with regular web traffic. DoT is defined in RFC 7858; DoH in RFC 8484.

If you configure a firewall to block all traffic to port 853, you block DoT; to block DoH, you must block specific IPs or use deep packet inspection.

DoHvsDNSSEC

DNSSEC adds digital signatures to DNS records to verify authenticity and integrity, but does not encrypt queries. DoH encrypts the entire query and response but does not inherently validate the data source. They can be used together for both privacy and security.

DNSSEC ensures the IP address for 'example.com' hasn't been tampered with; DoH ensures no one sees you asked for 'example.com'.

Step-by-Step Breakdown

1

Step 1: User initiates a DNS query

When a user types a domain name in a browser, the browser (or OS) needs to resolve it to an IP address. Instead of sending a plaintext UDP query to the configured DNS server, the DoH client prepares to send the query over HTTPS.

2

Step 2: Establish TLS connection to DoH server

The client opens a TCP connection to the DoH server (e.g., 1.1.1.1) on port 443 and performs a TLS handshake. This establishes an encrypted tunnel, authenticating the server via its certificate.

3

Step 3: Encode DNS query as HTTP request

The client encodes the DNS query message (in binary wire format) into an HTTP request. Typically, it uses a POST request with Content-Type: application/dns-message, or a GET request with the query base64url-encoded in the URL.

4

Step 4: Send HTTP request over TLS

The client sends the HTTP request over the encrypted TLS connection. The request is sent to the DoH server's endpoint (e.g., https://dns.cloudflare.com/dns-query). The network sees only encrypted HTTPS traffic to that IP.

5

Step 5: Server processes and responds

The DoH server decrypts the request, extracts the DNS query, performs the resolution (or uses cache), and sends back an HTTP response containing the DNS response message in the body, also encrypted over TLS. The client decrypts it and uses the IP address.

Practical Mini-Lesson

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them over HTTPS. The core concept is to protect user privacy and prevent tampering. How it works: A DoH client (browser, OS, or stub resolver) sends DNS queries as HTTP requests to a DoH-compatible server.

The server responds with DNS answers in HTTP responses. All communication is encrypted with TLS, typically on port 443. This makes DoH traffic look like regular web traffic, making it difficult to block or filter.

Comparison to similar technologies: DNS over TLS (DoT) also encrypts DNS but uses a dedicated port (853), making it easier to identify and block. DNSSEC adds digital signatures to DNS responses but does not encrypt queries. Traditional DNS uses plaintext UDP on port 53, offering no privacy.

Configuration: In Firefox, DoH can be enabled in Settings > Network Settings > Enable DNS over HTTPS. Choose a provider (e.g., Cloudflare, NextDNS). In Windows 11, DoH can be configured in network adapter settings.

For enterprise networks, administrators may want to disable DoH to maintain DNS visibility, using group policies or firewall rules to block outbound port 443 to known DoH resolvers. Key takeaway: DoH enhances privacy but reduces network administrators' ability to monitor and filter DNS traffic. On exams, remember that DoH uses port 443, is defined in RFC 8484, and is an application-layer protocol.

It does not encrypt the destination IP or SNI, so it is not a complete privacy solution.

Memory Tip

Remember 'DoH' as 'DNS over HTTPS' — the 'H' stands for 'Hidden' because it hides your DNS queries inside regular web traffic. Also, think '443' — the port for HTTPS is also the port for DoH. If you see 'encrypted DNS on port 443', it's DoH.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Does DoH work with any DNS server?

No, DoH requires a DNS server that supports the HTTPS protocol and the /dns-query endpoint. Popular public DoH servers include Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9). Your local DNS server may not support DoH unless specifically configured.

What is the difference between DoH and DoT?

DoH (DNS over HTTPS) uses port 443 and HTTP, making it look like regular web traffic. DoT (DNS over TLS) uses a dedicated port 853 and a TLS connection specifically for DNS. DoT is easier to block because it uses a non-standard port, while DoH is harder to filter without deep packet inspection.

Can DoH be blocked by a firewall?

Yes, but it's difficult because DoH uses port 443, which is typically open for web traffic. To block DoH, an administrator must block or redirect traffic to known DoH server IPs, or use SSL/TLS inspection to detect DoH traffic patterns. Some firewalls can identify DoH by analyzing HTTP headers.

Is DoH enabled by default in browsers?

In some browsers, yes. For example, Firefox has DoH enabled by default for users in the US (using Cloudflare). Chrome also has DoH but may use the system's DNS resolver unless configured otherwise. Windows 11 allows DoH configuration at the OS level.

Why would an organization want to disable DoH?

Organizations often rely on DNS monitoring for security (e.g., blocking malicious domains) and content filtering (e.g., parental controls). DoH bypasses these controls because DNS queries are encrypted and sent to external resolvers. Disabling DoH ensures that all DNS traffic goes through the organization's DNS server.

Summary

1. DoH (DNS over HTTPS) encrypts DNS queries and responses using HTTPS (TLS on port 443), providing confidentiality and integrity for DNS lookups. 2. It operates at the application layer (Layer 7) and is defined in RFC 8484, making DNS traffic indistinguishable from regular web traffic.

3. The most important exam fact: DoH uses TCP port 443, not port 53 or 853 (DoT). Remember that DoH can bypass network content filters because it hides DNS queries from the local network.