How DNS over HTTPS works
DOH uses a direct connection between the end-user and the web server’s interface. Since the DNS query and response are taking place over a web-based HTTP interface, the DNS response format uses JSON notation. This is different than the traditional DNS query and resource record format and lends itself to simpler integration with web-based applications.
DOH could be implemented as a local proxy service running on the end-user’s computer that is listening for DNS queries using TCP or UDP port 53. This local proxy service converts the DNS queries into an HTTPS connection to the DOH service. In the case of DNS over HTTPS, the connection is made using TCP port 443. (When DNS over TLS is used, then TCP port 853 is employed.)
DOH can also be implemented in the user’s web browser. When the browser makes a connection to a new URL, it connects to the pre-configured DOH service using TCP 853 and retrieves the JSON response containing the resulting IP address.
DOH is of significant interest to content providers because they want to help preserve the privacy of their user and subscriber populations. Content providers desire greater control over DNS for their clients, guaranteeing that their clients are provided accurate information about IP addresses, mitigating man in the middle attacks, and provide a faster service regardless of the client’s operating system or location.
The terms DNS over HTTP (DOH), DNS over HTTPS (DOH), and DNS over TLS (DOT) are often used interchangeably, but it is important to distinguish among HTTP, HTTPS, and TLS underlying this web-based DNS function.
While DOH can make contribute to internet privacy, it’s also important to recognize there are other ways to address the problem.