What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them inside normal HTTPS traffic. Traditional DNS sends queries in plain text over UDP port 53, meaning anyone between you and the DNS resolver — your ISP, a coffee shop's Wi-Fi operator, or a government — can see every domain you look up. DoH eliminates this visibility.

How Traditional DNS Exposes You

When you type google.com into your browser, your device sends an unencrypted DNS query to a resolver asking "what is the IP address for google.com?" This query travels in plain text. Your ISP can log every domain you visit, build browsing profiles, and in some jurisdictions sell that data or use it for censorship.

How DoH Works

DoH wraps DNS queries inside HTTPS requests — the same encryption used for web traffic. Instead of sending a UDP packet to port 53, your device makes an HTTPS POST or GET request to a DoH resolver like https://cloudflare-dns.com/dns-query or https://dns.google/resolve.

The response is a standard DNS answer, but it travels inside TLS-encrypted HTTP. To an observer on the network, DoH traffic looks identical to regular HTTPS web traffic — they can see you are connecting to 1.1.1.1 or 8.8.8.8, but cannot see which domains you are querying.

DoH vs DNS over TLS (DoT)

DNS over TLS (DoT) is a related protocol that also encrypts DNS, but uses a dedicated port (853) with TLS directly rather than HTTP. The key difference: DoT traffic on port 853 is identifiable as encrypted DNS, so it can be blocked by networks that want to enforce their own DNS. DoH on port 443 blends in with all other HTTPS traffic, making it much harder to block.

Privacy and Security Tradeoffs

DoH improves privacy from network-level observers but shifts trust to the DoH resolver. If you use Cloudflare's DoH service, Cloudflare sees your queries instead of your ISP. The question becomes: who do you trust more?

Major DoH providers publish transparency reports and commit to minimal logging, but it is a trust decision. Some organizations run their own DoH resolvers to keep DNS resolution fully in-house.

DoH and BGP

DoH resolvers are reachable via standard IP addresses and their traffic is routed through BGP like any other internet traffic. You can look up the routes to major DoH providers and see how they are connected:

See BGP routing data in real time

Open Looking Glass
More Articles
What is BGP? The Internet's Routing Protocol Explained
What is an Autonomous System (AS)?
What is a BGP Looking Glass?
How to Look Up an IP Address's BGP Route
Understanding BGP AS Paths
What is RPKI? Securing BGP Routing
What is DNS? The Internet's Phone Book
What is an IP Address?
IPv4 vs IPv6: What's the Difference?
What is a Network Prefix (CIDR)?
What is an Internet Exchange Point (IXP)?
What is Peering? How Networks Interconnect
How Does Traceroute Work?
What is a CDN? Content Delivery Networks Explained
What is a BGP Hijack?
What are TLDs? Top-Level Domains Explained
What is Anycast? One IP, Many Servers
What is a Subnet? IP Subnetting Explained