DNS-over-HTTPS (DoH)
DNS-over-HTTPS (DoH) provides encrypted DNS queries over HTTPS protocol.
Overview
DoH encrypts DNS queries between the client and server using HTTPS, providing:
- Privacy: DNS queries are encrypted
- Security: Protection against DNS spoofing
- Firewall Friendly: Works through firewalls and proxies (uses port 443)
- Compatibility: Uses standard HTTPS, making it easy to deploy
Server Setup
Generate TLS Certificate
You need a TLS certificate and key file to run a DoH server.
Using OpenSSL
bash
# Generate private key
openssl genrsa -out key.pem 2048
# Generate certificate
openssl req -new -x509 -key key.pem -out cert.pem -days 365Using Let's Encrypt
bash
# Install certbot
sudo apt-get install certbot
# Get certificate
sudo certbot certonly --standalone -d your-domain.comStart DoH Server
Using Command Line
bash
dns server --port 53 --doh --tls-cert cert.pem --tls-key key.pemUsing Configuration File
yaml
server:
port: 53
doh:
enabled: true
port: 443
tls:
cert: "/path/to/cert.pem"
key: "/path/to/key.pem"Start the server:
bash
dns server --config config.yamlCustom DoH Port
Default DoH port is 443. You can change it:
bash
dns server --port 53 --doh --doh-port 8443 --tls-cert cert.pem --tls-key key.pemOr in config file:
yaml
doh:
enabled: true
port: 8443 # Custom DoH port
tls:
cert: "/path/to/cert.pem"
key: "/path/to/key.pem"Client Usage
Query Using DoH
bash
dns client lookup example.com --server https://your-doh-server:443/dns-queryPopular DoH Servers
- Cloudflare:
https://cloudflare-dns.com/dns-query - AdGuard:
https://dns.adguard.com/dns-query - Google:
https://dns.google/dns-query - Quad9:
https://dns.quad9.net/dns-query
Testing
Test DoH Server
bash
# Query your DoH server
dns client lookup example.com --server https://localhost:443/dns-queryVerify Certificate
bash
openssl s_client -connect localhost:443 -servername localhostTest with curl
bash
# Test DoH endpoint with curl
curl -H "Accept: application/dns-message" \
-H "Content-Type: application/dns-message" \
--data-binary @query.bin \
https://localhost:443/dns-queryProtocol Details
DoH uses the standard HTTPS protocol (RFC 8484) to send DNS queries:
- Method: GET or POST
- Content-Type:
application/dns-message - Endpoint:
/dns-query(default) - Port: 443 (default)
Advantages
- Firewall Friendly: Uses port 443, same as HTTPS traffic
- Proxy Compatible: Works through HTTP proxies
- Standard Protocol: Uses well-established HTTPS
- Privacy: Encrypted DNS queries
Limitations
- Latency: Slightly higher latency compared to DoT/DoQ due to HTTP overhead
- Connection Overhead: Each query may require a new HTTPS connection
- Port Conflicts: If port 443 is already in use, you need to use a different port
Security Considerations
- Certificate Validation: Ensure your certificate is valid and trusted
- Firewall: Open port 443 in your firewall if needed
- Certificate Renewal: Set up automatic certificate renewal for production
- HTTPS Security: Follow HTTPS best practices for secure deployment
Comparison with Other Protocols
| Feature | DoH | DoT | DoQ |
|---|---|---|---|
| Port | 443 | 853 | 853 |
| Firewall Friendly | ✅ | ⚠️ | ⚠️ |
| Latency | Medium | Low | Very Low |
| Connection Multiplexing | ❌ | ❌ | ✅ |
| Proxy Support | ✅ | ❌ | ❌ |
Next Steps
- Server Usage - Learn more about DNS server
- Client Usage - Learn how to use the DNS client
- Configuration - Learn about configuration options
- DoH and DoQ Examples - See practical examples