</>
ProtocolCodes
English العربية Deutsch Español Français हिन्दी Bahasa Indonesia 日本語 한국어 Português Русский ไทย Türkçe Tiếng Việt 简体中文
DNS & Networking

DNS over HTTPS (DoH) and DNS over TLS (DoT): Encrypted DNS Explained

How encrypted DNS protocols work, their privacy benefits, deployment considerations, and impact on corporate network monitoring and content filtering.

Why Encrypt DNS?

Traditional DNS operates in plaintext over UDP port 53. This design dates from 1983 when the internet was a trusted academic network. Today, this means:

  • ISPs can log every hostname you visit — and in many countries, are required to
  • On-path attackers can intercept DNS responses and redirect you to malicious servers
  • Censorship is trivially implemented by blocking or poisoning DNS responses
  • Advertisers build behavioral profiles from DNS traffic at the ISP level
# Plaintext DNS is visible to anyone on the network path:
# This packet is unencrypted and reveals the queried hostname
tcpdump -n -i eth0 port 53 -A 2>/dev/null | grep -A2 'example'

Two protocols address this problem: DNS over HTTPS (DoH) and DNS over TLS (DoT).

DNS over TLS (DoT)

DoT (RFC 7858) wraps standard DNS in a TLS 1.3 connection on port 853. The DNS wire format is unchanged — the messages are identical to traditional DNS, just encrypted within a TLS tunnel.

Client → TLS handshake on port 853 → Server
        DNS query (encrypted inside TLS)
Server → DNS response (encrypted inside TLS) → Client

Advantages of DoT:

  • Clean separation of concerns (DNS traffic is distinct from HTTPS)
  • Network operators can allow/block port 853 specifically
  • Lower per-query overhead than DoH (no HTTP framing)

Disadvantages of DoT:

  • Port 853 is identifiable — network admins can detect and block it
  • Less browser support than DoH

DNS over HTTPS (DoH)

DoH (RFC 8484) encodes DNS queries in HTTP/2 or HTTP/3 requests on port 443. DNS traffic is indistinguishable from regular HTTPS traffic:

# DoH request via curl:
curl -H 'Accept: application/dns-json' \
  'https://cloudflare-dns.com/dns-query?name=example.com&type=A'

# Wire format (RFC 8484 binary):
curl -s -H 'Accept: application/dns-message' \
  --data-binary @- \
  'https://dns.google/dns-query' <<< "$(python3 -c "
import struct
# DNS query for example.com type A
query = b'\x00\x01\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00'
query += b'\x07example\x03com\x00\x00\x01\x00\x01'
print(query.decode('latin-1'), end='')")"

Advantages of DoH:

  • Cannot be blocked without blocking all HTTPS traffic
  • Works in environments that restrict port 853
  • Broad browser support (Firefox, Chrome, Edge, Safari)

Disadvantages of DoH:

  • DNS traffic is mixed with regular HTTPS — harder for admins to monitor
  • Typically requires a third-party resolver (Google, Cloudflare, NextDNS)
  • Bypasses local network DNS configuration (split-horizon DNS, content filters)

Comparing DoH and DoT

FeatureDoTDoH
Port853443
ProtocolDNS over TLSDNS over HTTP/2
DetectabilityIdentifiable by portBlends with HTTPS
BlockabilityEasy (block port 853)Hard (would block all HTTPS)
Enterprise adoptionPreferred (policy control)Problematic (bypasses filtering)
LatencyLowerHigher (HTTP framing overhead)
Browser supportOS-level onlyNative in Firefox, Chrome

Client Configuration

Browser-Level DoH

Firefox: Uses DoH by default in the US via Cloudflare. Configure in:

Settings → Privacy & Security → DNS over HTTPS

# Custom DoH resolver in Firefox:
about:config → network.trr.uri = https://your-resolver.com/dns-query

Chrome/Chromium: Upgrades to DoH automatically if your configured DNS server supports it. Set custom DoH in:

Settings → Privacy and security → Security → Use secure DNS

OS-Level Configuration

Windows 11 (DoH via Settings):

Settings → Network & Internet → [Adapter] → DNS server assignment
Set DNS: 1.1.1.1 → Preferred DNS encryption: Encrypted only (DNS over HTTPS)

macOS (DoH via system configuration profile):

# Install a mobileconfig profile for system-wide DoH:
# Cloudflare provides pre-built profiles: https://1.1.1.1/dns/

# Or configure via networksetup (DoT only, macOS Monterey+):
networksetup -setdnsservers Wi-Fi 1.1.1.1 1.0.0.1

Linux (systemd-resolved):

# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=yes

sudo systemctl restart systemd-resolved

# Verify:
resolvectl status
resolvectl query example.com

Android 9+ (Private DNS / DoT):

Settings → Network & internet → Advanced → Private DNS
Enter: one.one.one.one (Cloudflare) or dns.google (Google)

Running Your Own Encrypted DNS Resolver

For privacy-conscious users or organizations, running a local DoH/DoT resolver gives full control over DNS resolution:

cloudflared proxy-dns (DoH)

# Install cloudflared and run as local DoH proxy:
brew install cloudflare/cloudflare/cloudflared

# Run DoH proxy on localhost:5053
cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query

# Configure system DNS to 127.0.0.1:5053
# Or run as a service:
sudo cloudflared service install

dnscrypt-proxy

# Supports DoH, DoT, DNSCrypt, and ODoH (Oblivious DoH)
brew install dnscrypt-proxy

# /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml:
server_names = ['cloudflare', 'google']
listen_addresses = ['127.0.0.1:53']
ipv6_servers = true
doh_servers = true

sudo brew services start dnscrypt-proxy

Unbound with DoT

# Unbound as a local caching resolver with DoT upstream:
# /etc/unbound/unbound.conf:
server:
    interface: 127.0.0.1
    access-control: 127.0.0.0/8 allow

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

Enterprise and Corporate Network Impact

DoH and DoT create significant challenges for corporate IT:

Split-Horizon DNS

Many corporate networks use split-horizon DNS — internal DNS servers that return private IP addresses for internal services. When an employee's browser uses DoH to an external resolver (Cloudflare, Google), it bypasses the internal DNS server and cannot resolve internal hostnames:

# Internal DNS (split-horizon):
intranet.corp.com → 10.0.0.50   (private IP, only visible internally)

# External DoH resolver:
intranet.corp.com → NXDOMAIN    (no public DNS record)

Solutions: Configure an internal DoH/DoT resolver and push it to managed devices via MDM. Firefox and Chrome have enterprise policies to disable DoH:

// Chrome enterprise policy (managed_preferences):
{
  "DnsOverHttpsMode": "off"
}

Content Filtering Bypass

Corporate and parental content filters often work by blocking DNS responses for prohibited domains. DoH on port 443 bypasses these filters completely. Enterprise-grade solutions:

  • NextDNS for Teams: Managed DoH/DoT with filtering policies
  • Cisco Umbrella: Enterprise DNS security with DoH support
  • Zscaler: Cloud proxy that intercepts HTTPS including DoH

Summary

Encrypted DNS significantly improves user privacy by preventing ISP snooping and on-path DNS manipulation. DoH (port 443) is harder to block and has broader browser support; DoT (port 853) is preferred for enterprise environments because it is identifiable and policy-controllable. For personal use, enabling DoH in your browser or configuring a local resolver is a straightforward privacy improvement. For corporate environments, deploy a managed internal DoH/DoT resolver with MDM enforcement to maintain split-horizon DNS and content filtering functionality.

Protocolos relacionados

HTTP DNS

Términos del glosario relacionados

TTL (Time to Live) DNS

Más en DNS & Networking

DNS Response Codes (RCODEs) Explained FTP Reply Codes: Understanding File Transfer Responses DNS TTL: How to Set TTL Values and Avoid Propagation Delays DNS Propagation: Why Changes Take Time DNSSEC Implementation Guide DNS-Based Failover and High Availability DNS Record Types Explained: A, AAAA, CNAME, MX, TXT, and Beyond TCP Three-Way Handshake and Connection Lifecycle Essential Network Debugging Tools: ping, traceroute, mtr, and tcpdump
← Volver a las guías