Saturday, July 04, 2020

DNS-over-HTTPS (DoH)

What is Domain name service (DNS) ?

When we type a URL address in any internet browser like google chrome or Internet explorer, the browser translates that name to something it understands, a number, called IP Address. In Internet, all the connected devices have an unique IP address. Eg: Google website ( or ) has an unique IP Address, Yahoo has its own address. It is difficult to remember all these addresses, that is when DNS helps us. A server running this DNS service maintains a table to translate the Name to IP Address to make things easy for humans

This is how a DNS translation table looks like
NameIP Address

So when you type in your browser, Your browser sends a DNS query request to a configured DNS server, and DNS server replies the query with an IP address. Then your browser send HTTP (website) request to that IP address. Usually DNS requests works using UDP transport protocol to the port number 53.


As I mentioned in the last paragraph, DNS requests works using UDP protocol to the port number 53. Instead DNS-over-HTTPS aka DoH works over HTTPS protocol, not UDP. This is more secure than the DNS over UDP protocol. First a HTTPS connection is setup with the DNS server, over which the DNS requests are send. As you know, HTTPS uses SSL/TLS encryption, and hence the requests cannot be read by anyone in between.

Why is this important ?

There has been many cases where the internet service provider looks into your DNS requests and sends a fake reply IP Address instead of the actual IP Address. This has been done due to many reasons, like they want to block an website, to redirect you to another competitor website etc. Usually they do this by looking to your internet traffic, and capture all your DNS requests which comes through UDP to port 53, which is not encrypted. They will hijack these requests, and redirect to their server and gives a wrong IP address to you. You will not come to know about this. In such cases, DoH helps us, as the DNS requests are send over an HTTPS encrypted connection.

How to enable DNS over HTTPS in Windows

As of today, DNS over HTTPS is not enabled by default in Windows. Only Windows 10 version above build 19628 is providing DNS over HTTPS support. If you are using the older versions, You can instead enable DoH on your internet browsers. Google chrome and Mozilla Firefox support DNS over HTTPS. If you are using Windows 10 version above 19628, You can enable DoH by steps mentioned in this blog

Enabling DNS over HTTPS in Mozilla Firefox

In Mozilla Firefox, Go to "Options" -> "Network Settings". Scroll down, and See the "Enable DNS over HTTPS checkbox", click on it and Select "Cloudflare" and click OK.

Enabling DNS over HTTPS in Google Chrome

In Google chrome, DNS over HTTPS is a experimental feature ( as of version 83). To enable that in the address bar, type "chrome://flags". In the search box above, search for DNS. You will find "Secure DNS lookups". In the dropdown, Select "Enabled" and do the "Relaunch Chrome". This will restarts the browser with DNS over HTTPS enabled.

No comments:

Post a Comment