IETF DOH Working Group

IETF DOH Working Group
Name	IETF DOH Working Group
Formation	2018
Purpose	Standardization of DNS over HTTPS
Headquarters	Internet Engineering Task Force
Region served	Global
Parent organization	Internet Engineering Task Force

Contents

IETF DOH Working Group

The IETF DOH Working Group was formed to develop standards for DNS over HTTPS within the Internet Engineering Task Force context. It produced technical specifications that intersect with standards from the IETF, W3C, ICANN, and regional Internet registries while engaging implementers, operators, and researchers from organizations such as Mozilla, Google, Cloudflare, and Cisco. The effort influenced protocol work in Internet Architecture Board, Internet Engineering Task Force, World Wide Web Consortium, IETF HTTPbis Working Group, Internet Research Task Force, Internet Assigned Numbers Authority, Internet Corporation for Assigned Names and Numbers, and regional bodies including RIPE NCC, ARIN, and APNIC.

Background and charter

The group authored core specifications that reference standards maintained by Internet Engineering Task Force, IETF HTTPbis Working Group, IETF QUIC Working Group, IETF TLS Working Group, and IANA. Key documents define wire formats, HTTP mappings, media types, and operational considerations compatible with Hypertext Transfer Protocol, HTTP/2, HTTP/3, QUIC, TLS 1.3, RFC 1035, RFC 2119, and RFC 8446. The specifications cover message framing, content negotiation, caching semantics, and HTTP status mappings informed by implementations from Mozilla Foundation, Google LLC, Cloudflare, Cisco Systems, Fastly, Akamai Technologies, Amazon Web Services, Microsoft Corporation, and Facebook (Meta Platforms). The work linked to numbering and registries managed by Internet Assigned Numbers Authority and policy input from ICANN and regional registries RIPE NCC.

Security analyses engaged contributors from Open Web Application Security Project, National Institute of Standards and Technology, ENISA, UK National Cyber Security Centre, CERT Coordination Center, Google LLC, Mozilla Foundation, Cloudflare, Akamai Technologies, Cisco Systems, Microsoft Corporation, and academic researchers at Carnegie Mellon University, University of Oxford, EPFL, Princeton University, and ETH Zurich. Threat models addressed active attacks, passive eavesdropping, middlebox interference, and censorship circumvention referencing Transport Layer Security, DNSSEC, TLS 1.3, HTTP Public Key Pinning, and DNS rebinding mitigations. Privacy guidance considered metadata leakage, centralization risks raised by Cloudflare and Google Public DNS, legal frameworks such as General Data Protection Regulation, US CLOUD Act, and court rulings involving European Court of Justice and national authorities.

Implementations emerged across open-source and commercial ecosystems, including client libraries and server products from Mozilla Foundation (Firefox), Google LLC (Chrome), Cloudflare (1.1.1.1), Quad9, Cisco Systems (Umbrella), Microsoft Corporation (Windows), Apple Inc. (iOS/macOS integrations), Knot DNS, Unbound, BIND, PowerDNS, CoreDNS, nginx, Envoy (software), HAProxy Technologies, Traefik Labs, ISC, MikroTik, Netgear, Ubiquiti Networks, and content delivery networks including Akamai Technologies and Fastly. Deployments varied by region with uptake documented in reports from RIPE NCC, APNIC, ARIN, and country-level operators in Germany, United States, India, Japan, and Brazil.

Interoperability testing occurred at IETF meetings, interop events hosted by IETF HTTPbis Working Group, and testbeds run by Mozilla Foundation, Google LLC, Cloudflare, RIPE NCC, APNIC, and academic labs at University of California, Berkeley and University College London. Tools and suites included test harnesses from IETF Tools, continuous integration contributions from GitHub, conformance suites inspired by IETF Testimonies, and fuzzing efforts from Google OSS-Fuzz and Mozilla Socorro. Results were reported in workshop sessions involving Internet Society, IETF Hackathon, and research presented at conferences such as USENIX Security Symposium, NDSS, ACM CCS, IEEE S&P, and SIGCOMM.

Debates arose among privacy advocates, network operators, and content platforms involving ICANN policy, the role of central resolvers like Cloudflare and Google Public DNS, and interception capabilities of national authorities such as National Security Agency and GCHQ. Content delivery tensions involved Akamai Technologies, Fastly, and Cloudflare with network operators including Deutsche Telekom, AT&T, and Verizon Communications. Regulatory and antitrust concerns engaged European Commission, Federal Communications Commission, Competition and Markets Authority, and civil society groups like Electronic Frontier Foundation and ACLU. Technical disputes included resolver discovery, split-horizon DNS handling, and interactions with middleboxes discussed in forums with IETF HTTPbis Working Group, IETF RRTED Working Group, and IETF DPRIVE Working Group.

Proposed extensions and work items referenced collaboration with IETF DPRIVE Working Group, IETF HTTPbis Working Group, IETF QUIC Working Group, IETF TLS Working Group, W3C, and operational communities including IETF OPSAWG. Topics for future consideration included resolver discovery mechanisms, integration with Browser vendors policies from Mozilla Foundation, Google LLC, Microsoft Corporation, and Apple Inc., additional privacy protections inspired by research from Carnegie Mellon University and ETH Zurich, and protocol optimizations related to QUIC and HTTP/3 performance explored by IETF QUIC Working Group and IETF HTTPbis Working Group.

Category:Internet protocols