DNS-over-HTTPS (DoH): What it is, Benefits and Limitations

In an era where online privacy is constantly under threat, every click, search, or website visit can reveal more about us when we realize. Behind the scenes, one of the most overlooked yet crucial parts of internet communication, the Domain Name System (DNS), quietly handles billions of requests every day.

Traditionally, DNS requests were sent without encryption, leaving them vulnerable to interception, tracking, and manipulation. Enter DNS-over HTTPS (DoH), a technology designed to change the way DNS queries are transmitted, making them more secure and private than ever before.

What is DNS-over-HTTPS (DoH)?

The Domain Name System (DNS) acts like the phonebook of the internet, it translates human friendly domain names like ( www.example.com) communicate. Traditionally, these DNS requests were sent in plain text, making them vulnerable to interception, monitoring, or tampering by attackers or even internet service providers (ISPs).

DNS-over-HTTPS (DoH) is a protocol that encrypts these DNS queries and responses using HTTPS. By doing so, it ensures that DNS traffic is secure and hidden from prying eyes. This means that outsiders cannot easily track which websites you’re visiting or alter your DNS queries.

Benefits of DNS-over-HTTPS (DoH)

• Improved Privacy: DoH  encrypts DNS requests, hiding them within standard HTTPS traffic. This makes it far more difficult for ISPs, attackers, or third-party observers to see which websites you are visiting.

• Protection from DNS Spoofing and Hijacking: By using HTTPS encryption, DoH prevents man-in-the-middle attacks where attackers tamper with DNS responses to redirect users to malicious websites.

• Data Integrity: The protocol ensures that the DNS responses you receive are authentic and unaltered, preventing attackers from injecting fake IP addresses.

• Security on Public Wi-Fi: DoH makes browsing safer on untrusted networks, such as airport or café Wi-Fi, by stopping local attackers from intercepting or modifying DNS requests.

• Consistent DNS Behavior: DoH allows your DNS preferences to remain the same across different networks, ensuring a uniform browsing experience without unexpected changes by local ISPs or administrators.

• Bypasses Some Local Restrictions: Since DoH traffic is encrypted and mixed with regular HTTPS data, it can sometimes bypass overly aggressive DNS filtering or censorship applied at the network level.

How does DNS-over-HTTPS (DoH) work?

DNS-over-HTTPS (DoH) works by encrypting DNS queries, the process of translating a website name like www.example.com into its IP address and sending them over a secure HTTPS connection. In traditional DNS, these requests are transmitted in plain text, making them visible to Internet Service Providers (ISPs), network administrators, or malicious actors. DoH eliminates this risk by hiding DNS traffic inside the same encrypted channel used for secure web browsing.

When you enter a website address, your browser or operating system sends an encrypted DNS query to a DoH-compatible DNS resolver. This resolver, operated by a public provider like Cloudflare, Google, or a private enterprise service, receives the request, looks up the corresponding IP address, and sends the result back, all through an encrypted HTTPS channel. Because the data is encrypted using TLS (Transport Layer Security), anyone attempting to intercept the traffic will see only scrambled data, not the domain names you are accessing.

The key difference between DoH and traditional DNS is the transport method. Instead of using unencrypted UDP or TCP ports, DoH runs over port 443, the same as regular HTTPS traffic. This makes it harder for attackers or even restrictive networks to detect and block DNS queries, ensuring greater privacy and integrity of your internet communications.

Limitation of DNS-over-HTTPS (DoH)

• Centralization risks: Most users rely on a few major public DoH providers (like Google or Cloudflare), which can lead to data concentration and raise concerns about how this information is stored or used.

• Bypassing enterprise security: For organizations, DoH can prevent internal DNS monitoring tools from detecting and blocking malicious domains, potentially allowing cyber threats to slip through.

• Not a complete privacy solution: While DoH hides DNS queries, it does not conceal the IP addresses you concern to, nor does it protect against tracking through cookies, fingerprinting, or other techniques.

• Potential performance impact: In some cases, DoH can introduce slight latency due to encryption overhead or reliance on remote resolvers instead of local ones.

• Compatibility and policy challenges: Legacy systems, custom applications, or regulated environments may experience issues with DoH, and some administrators may need to disable it to comply with security policies.

• False sense of security: Users might mistakenly assume DoH alone makes their internet use completely private, neglecting other essential cybersecurity measures.

Final Thoughts

DNS-over-HTTPS represents a significant step forward in protecting online privacy and preventing DNS-based attacks. However, it is not a silver bullet, organizations and strategy combining DNS security, endpoint protection, threat intelligence, and employee awareness.

At StrongBox IT, we help businesses adopt secure network configurations, assess potential DNS vulnerabilities, and implement solutions that balance privacy, security, and compliance.

Your DNS may be hidden, but your cybersecurity should be visible, strong, and proactive.