The Privacy Gap
Traditional DNS sends lookups in plaintext over UDP. Anyone on the path can see which sites you resolve and could tamper with answers. DNS over HTTPS, often shortened to DoH, closes much of this gap.
How DoH Works
DoH carries DNS queries inside an encrypted HTTPS session.
- The resolver runs an HTTPS endpoint.
- The client sends each DNS query as an HTTPS request and reads the answer from the response.
- Because it rides on the standard web port, the traffic blends in with all other HTTPS.
This gives confidentiality against on path observers and integrity so answers cannot be silently altered.
Benefits And Tensions
DoH improves privacy but shifts power and creates friction.
- An observer can no longer easily read or hijack your lookups.
- Because queries look like normal web traffic, simple network filters cannot pick them out.
- That same blending frustrates operators who relied on DNS visibility for security and parental controls.
- Trust moves to whoever runs the resolver, who now sees all your queries in one place.
A Centralization Concern
If many clients default to a few large DoH providers, those providers gain a broad view of browsing. Choosing a trusted resolver matters.
Key idea
DNS over HTTPS wraps lookups in encrypted HTTPS so observers cannot read or tamper with them, but it blends into web traffic and shifts trust to the chosen resolver, raising centralization concerns.