Skip to main content
โšก Calmops
๐Ÿค– AI ๐Ÿ—๏ธ Architecture ๐ŸŒ Web ๐Ÿ—ƒ๏ธ Database โš™๏ธ DevOps ๐ŸŒ Network ๐Ÿ’ป Programming ๐Ÿงฎ Algorithms ๐Ÿ“ Software Eng. โ˜๏ธ Cloud ๐Ÿ”’ Security ๐Ÿ“ˆ Finance More โ†’

DNS-over-HTTPS DoH Complete Guide: Privacy-First DNS Resolution 2026

Created: March 4, 2026 CalmOps 3 min read

Introduction

DNS-over-HTTPS (DoH) has emerged as a critical technology for enhancing privacy and security in network communications. By encrypting DNS queries within the HTTPS protocol, DoH prevents eavesdropping, manipulation, and surveillance of DNS traffic.

This comprehensive guide covers everything you need to know about implementing DoH in 2026.

Understanding DNS Privacy

The DNS Problem

Traditional DNS queries are sent in plaintext, exposing user browsing activity to ISPs, network operators, and potential attackers. DoH encrypts these queries within HTTPS traffic, providing privacy and security.

Solution Comparison

Protocol Port Encryption Blocking Risk
DNS-over-TLS (DoT) 853 TLS 1.3 Easy
DNS-over-HTTPS (DoH) 443 TLS 1.3 Hard
DNS-over-QUIC (DoQ) 443 QUIC Hard

DoH Server Implementation

Using Nginx

server {
    listen 443 ssl http2;
    server_name dns.example.com;
    
    ssl_protocols TLSv1.3;
    ssl_ciphers TLS_AES_256_GCM_SHA384;
    ssl_certificate /etc/ssl/certs/dns.crt;
    ssl_certificate_key /etc/ssl/private/dns.key;
    
    location = /dns-query {
        POST on;
        proxy_pass http://127.0.0.1:53;
        proxy_redirect off;
    }
}

Using cloudflared

# Install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared

# Create config
mkdir -p ~/.cloudflared
cat > ~/.cloudflared/config.yaml <<EOF
proxy-dns: true
proxy-dns-port: 5053
upstream:
  - 1.1.1.1
  - 1.0.0.1
EOF

Client Configuration

Windows

# Enable DoH in Windows 11
Set-DnsClientDohInterfaceSettings -InterfaceAlias "Wi-Fi" -DohServers "https://1.1.1.1/dns-query" -AllowFastFallback True

macOS

Configure via System Settings > Privacy & Security > DNS

Linux

# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverHTTPS=yes

Firefox

network.trr.mode = 2
network.trr.uri = https://1.1.1.1/dns-query

Enterprise DoH

Benefits

  • Privacy from ISP logging
  • DNS poisoning prevention
  • Custom filtering policies
  • HTTP/2 performance

Architecture

Deploy internal DoH servers for corporate DNS resolution, with upstream filtering.

DoH Providers

Provider URL Features
Cloudflare https://1.1.1.1/dns-query No logging
Google https://dns.google/dns-query High availability
Quad9 https://dns.quad9.net Malware blocking
NextDNS https://dns.nextdns.io Customizable
AdGuard https://dns.adguard-dns.com Ad blocking

DoH Client Configuration

Browser Configuration

// Firefox DoH configuration
// about:config
network.trr.mode = 2  // TRR (Trusted Recursive Resolver) mode
network.trr.uri = "https://dns.google/dns-query"
network.trr.bootstrapAddress = "8.8.8.8"

macOS DoH Setup

# System preferences > Network > Wi-Fi > Advanced > DNS
# Add DoH servers:
# - https://1.1.1.1/dns-query
# - https://dns.google/dns-query

Linux DoH with systemd-resolved

# /etc/systemd/resolved.conf
[Resolve]
DNSOverHTTPS=yes
DNS=1.1.1.1
FallbackDNS=8.8.8.8

Windows DoH

# PowerShell - Enable DoH
Set-DnsClientDohServerAddress -InterfaceIndex 12 -DohServers "https://1.1.1.1/dns-query"

DoH in Enterprise

Split-View DoH

# Enterprise split-view DNS
dns:
  internal:
    doh: "https://internal.company.com/dns"
    filtering: ["malware", "ads"]
  external:
    doh: "https://1.1.1.1/dns-query"

DoH Proxy

# Python DoH proxy example
from flask import Flask, request, Response
import requests
import json

app = Flask(__name__)

@app.route('/dns-query', methods=['GET', 'POST'])
def dns_query():
    # Forward to upstream DoH
    upstream = 'https://1.1.1.1/dns-query'
    
    if request.method == 'GET':
        response = requests.get(upstream, params=request.args)
    else:
        response = requests.post(upupstream, data=request.data)
    
    return Response(response.content, content_type=response.headers.get('content-type'))

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem'))

DoH Performance

Benchmarks

# Test DoH performance
dig +https @1.1.1.1 example.com
dig +https @dns.google example.com
dig +https @dns.quad9.net example.com

HTTP/3 Support

# HTTP/3 DoH servers
servers:
  - url: "https://1.1.1.1/dns-query"
    http3: true
  - url: "https://dns.google/dns-query"
    http3: false

Security Considerations

DoH protects against:

  • ISP surveillance
  • DNS poisoning
  • MITM attacks

DoH does NOT protect:

  • Server-side logging
  • IP address visibility
  • SNI in TLS handshake

DoH vs DNS-over-QUIC (DoQ)

# DoQ advantages over DoH
doq_benefits = {
    "faster": "0-RTT connection establishment",
    "better": "Reduced latency on lossy networks",
    "simpler": "No TLS handshake overhead",
    "modern": "Built on QUIC (HTTP/3)"
}

Monitoring DoH

Logging Configuration

# DoH server logging
logging:
  access_log: /var/log/doh-access.log
  error_log: /var/log/doh-error.log
  
  # Log format
  format: '{"time": "$time_iso8601", "client": "$remote_addr", "query": "$query", "status": "$status"}'

Conclusion

DNS-over-HTTPS provides essential privacy and security for modern networks. Implement DoH to protect user privacy while maintaining compatibility with existing infrastructure.

External Resources

Comments