University of Wisconsin–Madison
Computer screen with DNS, domain and https information on it

5 Things to know about DNS over HTTPS

What is DNS over HTTPS (DoH)?

Let’s start with what DNS and HTTPS are. Domain Name System (DNS) is like a telephone directory for the Internet. It translates easily  domain names, like wisc.edu, to numerical addresses used by devices and applications like web browsers.

Hypertext Transfer Protocol Secure (HTTPS) encrypts information sent between a web server and a web browser, but it doesn’t begin encrypting until your browser has connected to the website. The typical browsing session goes something like this:

  1. You enter a domain name in your browser’s location field, or click a link.
  2. Your browser sends an unencrypted request to a DNS server, essentially asking where to find the website.
  3. Your browser receives the requested information from the DNS server and uses it to connect to the website. Anyone listening in can tell what site you’re visiting.
  4. If the site supports HTTPS, further traffic between the two is encrypted.

The system works well, but does leave users vulnerable to having their web browsing tracked, and attacks where DNS responses are intercepted and altered, sending users to a scam website rather than to the one they wanted, a.k.a. “spoofing.”

DNS over HTTPS is a relatively new way to provide domain name services that encrypt DNS requests, making it hard for bad guys to snoop on or spoof network users. Browsing with DoH enabled goes like this:

  1. You enter a domain name in your browser’s location field, or click a link.
  2. Your browser sends an encrypted request to a DNS/DoH server, essentially asking where to find the website.
  3. Your browser receives and encrypted reply from the DNS/DoH server containing the requested information and uses it to connect to the website. Anyone listening in sees only encrypted information being exchanged.
  4. If the site supports HTTPS, further traffic between the two is encrypted.

5 things to know about DoH

  1. The protocol was backed by Google, Cloudflare and Mozilla.
  2. Firefox is currently the only browser to support it and it must be enabled.
  3. Google’s public DNS supports DoH as does Cloudflare’s. If you enable DoH in Firefox, is uses Cloudflare’s DNS by default.
  4. It is controversial in some jurisdictions, like the UK, where it may be used to circumvent the efforts of ISPs to comply with the Investigative Powers Act that requires them to log domains visited by their customers.
  5. A new Malware strain has been spotted using DoH to cover its tracks, although it uses an unrelated Lua/Confluence exploit to do its actual bad actions.