DNS Over HTTPS (DoH): Privacy Savior or Security Nightmare?

Akshay KaleAkshay Kale
4 min read

Table of contents

Table of Contents

  1. Introduction

  2. How DoH Works

  3. Key Benefits of DoH

  4. Risks & Challenges

  5. DoH vs DoT: Protocol Showdown

  6. Implementation & Best Practices

  7. Conclusion

  8. FAQs

Introduction

In the age of pervasive surveillance and rampant data collection, DNS over HTTPS (DoH) emerges as a beacon of privacy, encrypting your DNS lookups so that ISPs, network admins, or malicious actors can’t snoop on which sites you visit. Yet, this very shield can turn into a security blind spot for enterprises and network defenders. In this post, we’ll demystify DoH, weigh its pros and cons, and help you decide when DoH is your best ally and when it becomes a thorn in your network’s side.

How DoH Works?

Credits : Brian Posey

DNS Request Encapsulation

  • Traditional DNS uses UDP port 53 in plaintext.

  • DoH wraps DNS queries in HTTPS packets over TCP port 443 indistinguishable from regular web traffic.

Encryption & Transport

GET /dns-query?name=example.com&type=A HTTP/2
Host: doh.provider.com
Accept: application/dns-json

  • Uses HTTP/2 or HTTP/3, benefiting from multiplexing and built-in TLS encryption.

  • Shields DNS queries from passive observers (ISPs, Wi-Fi attackers).

Resolver Response

The resolver decrypts the request, performs the DNS lookup, re-encrypts the response, and returns it via HTTPS.

Key Benefits of DoH

  • Privacy Preservation

    • Masks DNS queries from ISPs and local adversaries.

  • Integrity & Anti-Spoofing

    • Prevents on-path DNS spoofing and MITM attacks.

  • Performance Gains

    • HTTP/2 multiplexing reduces latency in lossy networks.

Firewall Evasion

  • Harder for basic firewalls to block or inspect DNS traffic.

Risks & Challenges

  1. Centralization Concerns

    • Most DoH traffic ends up at a few large providers (Cloudflare, Google), raising privacy & antitrust flags.

  2. Enterprise Oversight Loss

    • Bypasses on-prem DNS filtering, parental controls, and monitoring tools jeopardizing policy enforcement.

  3. Malware Abuse

    • Threat actors hide C2 communications in encrypted DNS, evading detection by security appliances.

  4. Residual Fingerprinting

    • Adversaries can still infer visited domains from IP/TCP metadata.

DoH vs DoT: Protocol Showdown

FeatureDoHDoT
Port443 (HTTPS)853 (TLS)
Encryption LayerHTTPS (HTTP/2, HTTP/3)Raw TLS
Firewall BehaviorBlends with web traffic – hard to blockDistinct – easier to filter & inspect
PerformanceMultiplexed – can be fasterStable – no HTTP overhead
Enterprise ControlCan bypass DNS policiesSupports split-horizon & filtering

Recommendation:

  • Privacy-focused usersEnable DoH via a trusted resolver.

  • EnterprisesPrefer DoT or internal DoH deployment + block external DoH.

Implementation & Best Practices

For Individual Users

  • Browsers:

    • Firefox: Settings → Network Settings → Enable “Encrypted DNS (DoH)”.

    • Chrome: Settings → Privacy & security → Security → Use Secure DNS.

  • OS-Level:

    • Windows 11: Settings → Network & Internet → Advanced network settings → DNS over HTTPS.

    • macOS (via resolver profiles) or Android (Provider-specific).

For Enterprises

  1. Internal DoH Resolver

    • Deploy unbound or Bind9 with DoH support on-premises.

  2. Access Control

    • Block port 443 DoH traffic to external resolvers via firewall rules.

  3. Monitoring

    • Combine with EDR, SIEM, and TLS-inspection proxies to retain visibility.
# Example: Block external DoH on a Linux firewall
iptables -A OUTPUT -p tcp --dport 443 -m string --string "application/dns-json" --algo bm -j REJECT

Conclusion

DNS over HTTPS is a transformative privacy tool shielding your DNS queries from prying eyes. But like any powerful technology, it cuts both ways: empowering users yet handicapping defenders when misconfigured. By understanding DoH’s mechanics, weighing its benefits against its challenges, and following deployment best practices, you can harness the privacy gains of DoH without falling prey to its pitfalls.

FAQs

1. Is DoH supported on mobile devices?
Yes, Android 9+ and recent iOS/macOS versions support DoH via custom resolver settings or third-party apps.

2. Can I run my own DoH resolver?
Absolutely! Open-source tools like miekg/dns and cloudflare-dns-server make it straightforward.

3. Will DoH slow down my browsing?
In most cases, DoH’s HTTP/2 optimizations offset TLS handshake overhead—often resulting in comparable or improved performance

0
Subscribe to my newsletter

Read articles from Akshay Kale directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritySecuritynetworkinganalysisBlogging

Written by

Akshay Kale
Akshay Kale

👋 Hey there! I'm Akshay Kale — a 🛡️ Cybersecurity Enthusiast, 🌐 Networking Nerd, and 💻 Full-Stack Developer. I'm deeply passionate about how the internet truly works — from 🔬 low-level packet inspection to 🧠 high-level security strategies. Whether it’s capturing packets, exploring vulnerabilities, or building secure digital experiences, I love diving into the 💡 technical depths of systems. 📚 On this blog, you’ll find: 🔐 • Cybersecurity tutorials, threat breakdowns & real-world exploits 🌍 • Networking insights, TCP/IP, firewalls, sniffers & protocols 🐧 • Dev tips, Linux tools, CLI hacks & ethical hacking guides 📌 Portfolio: ak22dev.vercel.app