100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is DNS over HTTPS (DoH)?

Learn what DNS over HTTPS (DoH) is, how it encrypts lookups, and how it compares to DNS over TLS — with interview Q&A.

mediumQ74 of 224 in Computer Networks Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

DNS over HTTPS (DoH) is a protocol that carries standard DNS queries and responses inside encrypted HTTPS connections instead of sending them as plaintext UDP or TCP packets, so that a network observer between the client and resolver cannot read or tamper with the lookup.

Traditional DNS queries travel over plaintext UDP (or TCP for larger responses) on port 53, meaning any router, ISP, or attacker on the path can see which domains a device is resolving and can spoof or inject fake responses. DoH wraps the same DNS query and answer format inside an HTTPS request to a DoH-capable resolver, typically on port 443, encrypting the traffic and making it look like ordinary web traffic. This protects lookup privacy from local network eavesdroppers and prevents on-path tampering, since HTTPS provides both encryption and integrity checking via TLS. A closely related protocol, DNS over TLS (DoT), achieves similar encryption but uses a dedicated port (853) and a raw TLS connection instead of wrapping requests in HTTP, making DoT traffic easier for a network to identify and block, while DoH traffic blends in with regular HTTPS traffic on port 443. Browsers and operating systems increasingly let users or administrators configure a trusted DoH resolver directly, which shifts DNS trust away from whatever resolver the local network would otherwise assign.

  • Encrypts DNS lookups so local network observers cannot see queried domains
  • Prevents on-path DNS spoofing and tampering via TLS integrity checks
  • Blends with normal HTTPS traffic on port 443, harder to selectively block than DoT
  • Lets users choose a trusted resolver independent of the local network default

AI Mentor Explanation

DNS over HTTPS is like sending a message to the team analyst asking for an opponent’s batting stats inside a sealed, tamper-evident envelope carried by the same courier who delivers all the team’s other sealed mail, instead of shouting the question across the dressing room where anyone can overhear it. Anyone watching the courier’s route just sees a normal mail delivery, not what specific stat was requested. If someone tried to intercept and swap the envelope’s contents, the tamper-evident seal would reveal it. This is exactly the privacy and integrity gain DoH provides over plaintext DNS on port 53.

Step-by-Step Explanation

  1. Step 1

    Client formats a DNS query

    The client builds a standard DNS query message just like it would for plaintext DNS.

  2. Step 2

    Query wrapped in HTTPS

    The query is sent as an HTTPS request (typically POST or GET) to a DoH-capable resolver on port 443.

  3. Step 3

    Resolver responds over TLS

    The resolver returns the DNS answer inside an encrypted HTTPS response, protected by TLS.

  4. Step 4

    Client parses the answer

    The client extracts the standard DNS response from the HTTPS body and uses it like any normal lookup result.

What Interviewer Expects

  • Explains that DoH encrypts DNS traffic using HTTPS/TLS
  • Compares DoH to plaintext DNS (port 53) and to DoT (port 853)
  • Understands DoH traffic is harder to selectively block since it blends with HTTPS
  • Aware of the trade-off: DoH can bypass local network DNS policy/filtering

Common Mistakes

  • Confusing DoH with a completely different DNS protocol rather than an encrypted transport for the same queries
  • Not distinguishing DoH (port 443, HTTP-wrapped) from DoT (port 853, raw TLS)
  • Assuming DoH hides the destination IP the client eventually connects to (it only protects the DNS lookup)
  • Forgetting DoH can complicate enterprise or parental DNS filtering since it bypasses local resolvers

Best Answer (HR Friendly)

DNS over HTTPS takes the same domain-name lookups your device always does, but sends them encrypted inside a normal-looking HTTPS connection instead of in the open. That means your internet provider or anyone else on the network cannot see which websites you are looking up or tamper with the answer, because it is protected the same way your online banking traffic is protected.

Code Example

Making a manual DNS over HTTPS query
# Query a DoH resolver directly (Cloudflare’s DoH endpoint) using curl
curl -s -H "accept: application/dns-json" \
  "https://cloudflare-dns.com/dns-query?name=example.com&type=A"

# Response is standard JSON-encoded DNS data, delivered over HTTPS/TLS:
# {"Status":0,"Answer":[{"name":"example.com","type":1,"TTL":300,"data":"93.184.216.34"}]}

Follow-up Questions

  • How does DoH differ from DNS over TLS (DoT)?
  • Why might an enterprise network want to block or manage DoH usage?
  • Does DoH protect the destination IP a client later connects to, or only the lookup?
  • How do browsers decide which DoH resolver to trust by default?

MCQ Practice

1. What transport does DNS over HTTPS use to carry DNS queries?

DoH wraps standard DNS queries inside HTTPS requests, typically over port 443.

2. What is the main practical difference between DoH and DoT?

DoH traffic looks like ordinary HTTPS on port 443, while DoT uses its own dedicated port, making it easier to identify and block.

3. What does DoH primarily protect against?

DoH encrypts and integrity-protects DNS queries and responses in transit, preventing local eavesdropping and spoofing.

Flash Cards

What is DNS over HTTPS (DoH)?A protocol that sends DNS queries and responses encrypted inside HTTPS connections.

What port does DoH typically use?Port 443, the same as normal HTTPS traffic.

How does DoH differ from DoT?DoT uses a dedicated port (853) with raw TLS; DoH wraps queries in HTTP on port 443, blending with web traffic.

Main benefit of DoH?Prevents local network observers from seeing or tampering with DNS lookups.

1 / 4

Continue Learning