LLMpediaThe first transparent, open encyclopedia generated by LLMs

DNS over HTTPS

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Domain Name System Hop 3
Expansion Funnel Raw 70 → Dedup 2 → NER 2 → Enqueued 2
1. Extracted70
2. After dedup2 (None)
3. After NER2 (None)
4. Enqueued2 (None)
DNS over HTTPS
NameDNS over HTTPS
AbbreviationDoH
Introduced2018
StatusInternet Standard (IETF)
DeveloperInternet Engineering Task Force
RelatedDNS, HTTPS, TLS, HTTP/2, HTTP/3

DNS over HTTPS

DNS over HTTPS is a network protocol that encapsulates Domain Name System queries within HTTPS requests, aiming to protect DNS resolution from on-path surveillance and tampering. It was specified by the Internet Engineering Task Force and interoperates with existing web infrastructure implemented by vendors such as Mozilla, Google, Microsoft, Cloudflare, and various content delivery networks. Proponents include privacy advocates and technology companies; critics cite operational concerns raised by network operators and some governments.

Overview

DoH changes how clients resolve names by sending DNS queries over an encrypted Hypertext Transfer Protocol Secure connection to a resolver operated by providers including Cloudflare, Google, Mozilla Corporation, Quad9, and OpenDNS. The protocol was standardized through working groups in the Internet Engineering Task Force and discussed in venues such as the Internet Governance Forum and the World Wide Web Consortium. Implementations appear in mainstream software like Mozilla Firefox, Google Chrome, Microsoft Edge, and mobile platforms including Android distributions and the iOS ecosystem via third-party apps. Operational stakeholders in telecom such as AT&T, Verizon Communications, and infrastructure operators including Akamai Technologies monitored adoption because DoH alters traditional resolver roles historically occupied by ISPs like Comcast and BT Group.

Technical Design and Protocol

DoH transports DNS messages as application data inside encrypted HTTP/2 or HTTP/3 streams negotiated with TLS endpoints, using content types and URI templates defined in an IETF specification. The protocol leverages server certificates issued by certificate authorities such as DigiCert, Let's Encrypt, and GlobalSign to authenticate resolvers, while HTTP features like multiplexing and header fields come from Hypertext Transfer Protocol semantics. DoH resolvers parse DNS wire-format packets for types like A, AAAA, CNAME, TXT, and DNSSEC-related records produced by authoritative servers including Verisign, ICANN-managed registries, and country-code registries like Nominet. Gateways and middleboxes that previously observed UDP or TCP DNS (port 53) now see only encrypted HTTPS payloads to endpoints hosted by entities including Amazon Web Services, Google Cloud Platform, Microsoft Azure, and autonomous systems run by providers such as Level 3 Communications.

Privacy and Security Implications

By encrypting queries, DoH reduces exposure to passive observers such as entities highlighted in investigations by organizations like Electronic Frontier Foundation and watchdogs like Privacy International. It mitigates on-path manipulation techniques used in incidents associated with nation-state actions and commercial interception noted in case studies involving Operation Aurora and other intrusion campaigns attributed to state-linked groups. However, centralized DoH resolvers introduce concentration risks; traffic funneled to providers like Cloudflare or Google raises concerns about data aggregation and lawful access under statutes such as the USA PATRIOT Act and national laws enforced by agencies like the Federal Bureau of Investigation and GCHQ. Interaction with DNSSEC validation provided by registries exemplified by ICANN and RIPE NCC remains important for end-to-end integrity, while transport-level defense benefits from TLS features advocated by groups such as the Mozilla Foundation.

Deployment and Adoption

Adoption trajectories reflect decisions by browser vendors, operating system maintainers, and resolver operators. Early deployments by Cloudflare (1.1.1.1) and Google Public DNS (8.8.8.8) spurred integration into Mozilla Firefox and Google Chrome; enterprise orchestration platforms from Microsoft and device manufacturers such as Samsung and Sony evaluated policies for selective enablement. Standards bodies including the IETF and industry consortia like the Internet Society produced guidance addressing operator concerns; regional regulators including the European Commission and national bodies such as Ofcom observed impacts on lawful interception and consumer protection. Resolver operators such as Quad9 adopted DoH to offer malware-blocking and filtering services, while content providers and CDNs like Akamai adjusted traffic engineering practices.

Performance and Compatibility

DoH can leverage HTTP/2 multiplexing and QUIC features in HTTP/3 to reduce latency compared with sequential UDP exchanges when TCP/TLS handshake overhead is amortized across multiple requests. Benchmarks from platform vendors including Google LLC and research groups at universities like MIT and Stanford University evaluate DNS resolution times, cache hit rates, and the interaction with recursive resolvers run by ISPs including Deutsche Telekom and Orange S.A.. Compatibility issues arise with middleboxes, parental-control appliances, and enterprise proxies from vendors such as Cisco Systems, Fortinet, and Palo Alto Networks that rely on observing DNS to enforce policies; split-horizon DNS deployments in organizations like Walmart or Bank of America require explicit support to avoid leakage or breakage.

Controversies and Policy Issues

Debate over DoH centers on resolver choice, centralization, and regulatory compliance. Critics including network operators represented by associations like the Internet Service Providers Association argued that DoH undermines network security practices such as DNS-based filtering used for child protection programs endorsed by agencies like UNICEF and public-safety stakeholders including INTERPOL. Privacy advocates countered with positions from Electronic Frontier Foundation and academic researchers at University of California, Berkeley urging default encryption and user choice. Policy responses varied: some national regulators explored mandates or guidance similar to actions by European Data Protection Board and court rulings in jurisdictions like Germany and United Kingdom. Industry compromises involved configurable resolver policies in browsers and OSes, standards for resolver discovery promoted at the IETF, and enterprise controls developed by vendors including Apple Inc. and Microsoft Corporation.

Category:Internet protocols