DNS over HTTPS

{{short description|Protocol to run DNS queries over HTTPS}}

{{Infobox networking protocol

| title = DNS over HTTPS

| logo =

| logo alt =

| image =

| image alt =

| caption =

| is stack = no

| purpose = encapsulate DNS in HTTPS for privacy and security

| developer =

| date = {{Start date and age|2018|10}}

| based on =

| influenced =

| osilayer = Application layer

| ports =

| rfcs = {{IETF RFC|8484|plainlink=yes}}

| hardware =

}}

{{Security protocol}}

{{Redirect|DoH|other uses|Doh (disambiguation){{!}}Doh}}

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks{{Cite news|url=https://www.theregister.co.uk/2017/12/14/protecting_dns_privacy/|title=IETF protects privacy and helps net neutrality with DNS over HTTPS|access-date=2018-03-21|language=en|first=Richard|last=Chirgwin|date=14 Dec 2017|website=The Register|archive-url=https://web.archive.org/web/20171214204526/https://www.theregister.co.uk/2017/12/14/protecting_dns_privacy/|archive-date=14 December 2017|url-status=live}} by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.{{Cite web |date=2024-01-17 |title=DNS over HTTPS · Cloudflare 1.1.1.1 docs |url=https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/ |access-date=2024-02-21 |website=Cloudflare Docs |language=en}} By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS.{{Cite web |title=DNS-over-HTTPS {{!}} Public DNS {{!}} Google Developers |url=https://developers.google.com/speed/public-dns/docs/doh |url-status=live |archive-url=https://web.archive.org/web/20180320142138/https://developers.google.com/speed/public-dns/docs/dns-over-https |archive-date=2018-03-20 |access-date=2018-03-21 |website=Google Developers |language=en}} – Google provides two endpoints: one for its 2018 JSON API, one for an RFC 8484 API.{{Cite news|url=https://www.bleepingcomputer.com/news/software/mozilla-is-testing-dns-over-https-support-in-firefox/|title=Mozilla Is Testing "DNS over HTTPS" Support in Firefox|first=Catalin|last=Cimpanu|work=BleepingComputer|access-date=2018-03-21|date=2018-03-20|language=en-us|archive-url=https://web.archive.org/web/20180320190227/https://www.bleepingcomputer.com/news/software/mozilla-is-testing-dns-over-https-support-in-firefox/|archive-date=2018-03-20|url-status=live}} In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.{{Cite web|url=https://whatsnewinpublishing.com/a-long-overdue-technological-shift-toward-online-privacy-firefox-encrypts-domain-names-google-to-follow/|title="A long-overdue technological shift toward online privacy": Firefox encrypts domain names. Google to follow.|date=2020-02-26|website=What's New in Publishing {{!}} Digital Publishing News|language=en-US|access-date=2020-02-26|archive-url=https://web.archive.org/web/20200226212218/https://whatsnewinpublishing.com/a-long-overdue-technological-shift-toward-online-privacy-firefox-encrypts-domain-names-google-to-follow/|archive-date=2020-02-26|url-status=live}} In May 2020, Chrome switched to DNS over HTTPS by default.{{Cite web |date=2020-05-20 |title=Google Makes DNS Over HTTPS Default in Chrome |url=https://duo.com/decipher/google-makes-dns-over-https-default-in-chrome |access-date=2024-03-29 |website=Decipher |language=en}}

An alternative to DoH is the DNS over TLS (DoT) protocol, a similar standard for encrypting DNS queries, differing only in the methods used for encryption and delivery. Based on privacy and security, whether either protocol is superior is a matter of controversial debate, while others argue that the merits of either depend on the specific use case.{{Cite news |last=Claburn |first=Thomas |title=Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT |date=2020-05-20 |url=https://www.theregister.com/2020/05/20/google_chrome_83/ |access-date=2021-02-03 |website=The Register |language=en}}

Technical details

DoH is a proposed standard, published as {{IETF RFC|8484}} (October 2018) by the IETF. It uses HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message.{{Cite web|url=https://datatracker.ietf.org/doc/rfc8484/|title=RFC 8484 - DNS Queries over HTTPS|website=datatracker.ietf.org|language=en|access-date=2018-05-20|first1=P|last1=Hoffman|first2=P|last2=McManus|archive-url=https://web.archive.org/web/20181212024431/https://datatracker.ietf.org/doc/rfc8484/|archive-date=2018-12-12|url-status=live}}{{rp|at=§4.1}} The underlying HTTP layer can be any version of HTTP, though HTTP/2 is the recommended minimum.{{rp|at=§5.2}} If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance.{{rp|at=§5.3}}

DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it,{{Cite web|url=https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html|title=Experimenting with same-provider DNS-over-HTTPS upgrade|website=Chromium Blog|language=en|access-date=2019-09-13|archive-url=https://web.archive.org/web/20190912084004/https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html|archive-date=2019-09-12|url-status=live}}{{Cite web|url=https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default|title=What's next in making Encrypted DNS-over-HTTPS the Default|last=Deckelmann|first=Selena|website=Future Releases|date=6 September 2019 |language=en-US|access-date=2019-09-13|archive-url=https://web.archive.org/web/20190914063121/https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/|archive-date=2019-09-14|url-status=live}} the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how best to deploy DoH and has established a working group, [https://datatracker.ietf.org/wg/add/about/ Adaptive DNS Discovery (ADD)], to do this work and develop a consensus. In addition, other industry working groups such as the [https://www.encrypted-dns.org Encrypted DNS Deployment Initiative], have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet's critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS".{{Cite web|url=https://www.encrypted-dns.org/about|title=About|website=Encrypted DNS Deployment Initiative|language=en-US|access-date=2019-09-13|archive-url=https://web.archive.org/web/20191204075913/https://www.encrypted-dns.org/about|archive-date=2019-12-04|url-status=live}}

Since DoH cannot be used under some circumstances, like captive portals, web browsers like Firefox can be configured to fall back to insecure DNS.[https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ Improving DNS Privacy in Firefox]

Oblivious DNS over HTTPS

Oblivious DNS over HTTPS (ODoH) is an experimental standard, published as {{IETF RFC|9230}} (June 2022) by the IETF proposing a protocol extension to ensure no single DoH server is aware of both the client's IP address and the content of their DNS queries and responses. Oblivious DoH was originally developed as Oblivious DNS (ODNS){{Cite journal|last1=Schmitt|first1=Paul|last2=Edmundson|first2=Anne|last3=Feamster|first3=Nick|title=Oblivious DNS: Practical Privacy for DNS Queries|url=https://petsymposium.org/2019/files/papers/issue2/popets-2019-0028.pdf|journal=Privacy Enhancing Technologies |date=2019|volume=2019 |issue=2 |pages=228–244 |doi=10.2478/popets-2019-0028 |arxiv=1806.00276 |s2cid=44126163 }} by researchers at Princeton University and the University of Chicago as an extension to unencrypted DNS, before DoH itself was standardized and widely deployed. Apple and Cloudflare subsequently deployed the technology in the context of DoH, as Oblivious DoH (ODoH).{{cite web |title=Oblivious DNS Deployed by Cloudflare and Apple |date=9 December 2020 |url=https://medium.com/noise-lab/oblivious-dns-deployed-by-cloudflare-and-apple-1522ccf53cab |access-date=27 July 2022}}

In ODoH and ODNS, all DNS requests and responses are routed via a proxy, hiding the client's address from the resolver. Requests and responses are encrypted to hide their contents from the proxy, and only the resolver can decrypt the requests, and the client the responses. Thus, the proxy knows the client address and resolver but not the request, and the resolver knows the proxy and request but not the client address, preventing the client address being linked to the query, unless both the proxy and resolver servers collude.{{Cite journal|last1=McManus|first1=Patrick|last2=Wood|first2=Christopher|last3=Kinnear|first3=Eric|last4=Pauly|first4=Tommy|title=Oblivious DNS Over HTTPS|url=https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-04.html|access-date=2021-03-17|newspaper=Ietf Datatracker|language=en}}{{cite arXiv |eprint=2011.10121|last1=Singanamalla|first1=Sudheesh|last2=Chunhapanya|first2=Suphanat|last3=Vavruša|first3=Marek|last4=Verma|first4=Tanya|last5=Wu|first5=Peter|last6=Fayed|first6=Marwan|last7=Heimerl|first7=Kurtis|last8=Sullivan|first8=Nick|last9=Wood|first9=Christopher|title=Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS|year=2020|class=cs.CR}}{{Cite web|last=Goodin|first=Dan|date=2020-12-08|title=Cloudflare, Apple, and others back a new way to make the Internet more private|url=https://arstechnica.com/information-technology/2020/12/cloudflare-apple-and-others-back-a-new-way-to-make-the-internet-more-private/|access-date=2021-03-14|website=Ars Technica|language=en-us}}{{Cite web|title=Cloudflare and Apple design a new privacy-friendly internet protocol|url=https://techcrunch.com/2020/12/08/cloudflare-and-apple-design-a-new-privacy-friendly-internet-protocol/|access-date=2021-03-17|website=TechCrunch|date=8 December 2020 |language=en-US}}

Deployment scenarios

DoH is used for recursive DNS resolution by DNS resolvers. Resolvers (DoH clients) must have access to a DoH server hosting a query endpoint.{{Cite web|url=https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/|title=draft-ietf-doh-dns-over-https-08 - DNS Queries over HTTPS|website=datatracker.ietf.org|language=en|access-date=2018-05-20|first1=P|last1=Hoffman|first2=P|last2=McManus|archive-url=https://web.archive.org/web/20180425194057/https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/|archive-date=2018-04-25|url-status=live}}

Three usage scenarios are common:

  • Using a DoH implementation within an application: Some browsers have a built-in DoH implementation and can thus perform queries by bypassing the operating system's DNS functionality. A drawback is that an application may not inform the user if it skips DoH querying, either by misconfiguration or lack of support for DoH.
  • Installing a DoH proxy on the name server in the local network: In this scenario client systems continue to use traditional (port 53 or 853) DNS to query the name server in the local network, which will then gather the necessary replies via DoH by reaching DoH-servers in the Internet. This method is transparent to the end user.
  • Installing a DoH proxy on a local system: In this scenario, operating systems are configured to query a locally running DoH proxy. In contrast to the previously mentioned method, the proxy needs to be installed on each system wishing to use DoH, which might require a lot of effort in larger environments.

Software support

= Operating systems =

== Apple ==

Apple's iOS 14 and macOS 11 released in late 2020 support both DoH and DoT protocols.{{Cite web|last=June 2020|first=Anthony Spadafora 29|title=Apple devices will get encrypted DNS in iOS 14 and macOS 11|url=https://www.techradar.com/news/apple-devices-will-get-encrypted-dns-in-ios-14-and-macos-11|url-status=live|archive-url=https://web.archive.org/web/20200701191540/https://www.techradar.com/news/apple-devices-will-get-encrypted-dns-in-ios-14-and-macos-11|archive-date=2020-07-01|access-date=2020-07-01|website=TechRadar|date=29 June 2020|language=en}}{{Cite web|last=Cimpanu|first=Catalin|title=Apple adds support for encrypted DNS (DoH and DoT)|url=https://www.zdnet.com/article/apple-adds-support-for-encrypted-dns-doh-and-dot/|url-status=live|archive-url=https://web.archive.org/web/20200627171139/https://www.zdnet.com/article/apple-adds-support-for-encrypted-dns-doh-and-dot/|archive-date=2020-06-27|access-date=2020-07-02|website=ZDNet|language=en}} In iOS, the protocols can be used via configuration profiles.

== Windows ==

In November 2019, Microsoft announced plans to implement support for encrypted DNS protocols in Microsoft Windows, beginning with DoH.{{Cite web|last=Gallagher|first=Sean|date=2019-11-19|title=Microsoft says yes to future encrypted DNS requests in Windows|url=https://arstechnica.com/information-technology/2019/11/microsoft-announces-plans-to-support-encrypted-dns-requests-eventually/|url-status=live|archive-url=https://web.archive.org/web/20191119235645/https://arstechnica.com/information-technology/2019/11/microsoft-announces-plans-to-support-encrypted-dns-requests-eventually/|archive-date=2019-11-19|access-date=2019-11-20|website=Ars Technica|language=en-us}} In May 2020, Microsoft released Windows 10 Insider Preview Build 19628 that included initial support for DoH{{Cite web|last=|first=|date=13 May 2020|title=Announcing Windows 10 Insider Preview Build 19628|url=https://blogs.windows.com/windowsexperience/2020/05/13/announcing-windows-10-insider-preview-build-19628/|url-status=live|archive-url=https://web.archive.org/web/20200518220620/https://blogs.windows.com/windowsexperience/2020/05/13/announcing-windows-10-insider-preview-build-19628/|archive-date=18 May 2020|access-date=13 May 2020|website=}} along with instructions on how to enable it via registry and command line interface.{{cite web |title=Windows Insiders can now test DNS over HTTPS |date=13 May 2020 |url=https://techcommunity.microsoft.com/t5/networking-blog/windows-insiders-can-now-test-dns-over-https/ba-p/1381282 |access-date=7 July 2020 |archive-url=https://web.archive.org/web/20200515031725/https://techcommunity.microsoft.com/t5/networking-blog/windows-insiders-can-now-test-dns-over-https/ba-p/1381282 |archive-date=15 May 2020 |url-status=live }} Windows 10 Insider Preview Build 20185 added a graphical user interface for specifying a DoH resolver.{{Cite web|last=Brinkmann|first=Martin|date=6 August 2020|title=Windows 10 build 20185 comes with encrypted DNS settings - gHacks Tech News|url=https://www.ghacks.net/2020/08/06/windows-10-build-20185-comes-with-encrypted-dns-settings/|url-status=live|archive-url=https://web.archive.org/web/20200815154630/https://www.ghacks.net/2020/08/06/windows-10-build-20185-comes-with-encrypted-dns-settings/ |archive-date=2020-08-15 |access-date=2020-08-06|website=gHacks Tech News}} DoH support is not included in Windows 10 21H2.{{Cite web|last=MandiOhlinger|title=What's new in Windows 10, version 21H2 for IT pros - What's new in Windows|url=https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-21h2|access-date=2022-02-09|website=docs.microsoft.com|language=en-us}}

Windows 11 has DoH support.{{Cite web|date=2021-07-28|title=How to Configure and Use DNS-Over-HTTPS (DoH) in Windows 11|url=https://appuals.com/configure-doh-windows-11/|access-date=2021-10-20|website=Appuals.com|language=en-US}}

== Android ==

Android 11 onwards supports DNS over HTTP/3 (DoH3) if a July 2022 system update is installed.{{cite web |title=DNS-over-HTTP/3 in Android |url=https://security.googleblog.com/2022/07/dns-over-http3-in-android.html |website=Google Online Security Blog |language=en}}

= Recursive DNS resolvers =

{{See also|Comparison of DNS server software#Feature_matrix}}

== BIND ==

BIND 9, an open source DNS resolver from Internet Systems Consortium added native support for DoH in version 9.17.10.{{cite web |last1=Boldariev |first1=Artem |title=BIND Implements DoH |url=https://www.isc.org/blogs/bind-implements-doh-2021/ |website=ISC web site |date=17 February 2021 |publisher=Internet Systems Consortium |access-date=17 February 2021}}

== PowerDNS ==

DNSdist, an open source DNS proxy/load balancer from PowerDNS, added native support for DoH in version 1.4.0 in April 2019.{{Cite web|date=2019-04-26|title=dnsdist 1.4.0-alpha2 with DNS over HTTPS support|url=https://blog.powerdns.com/2019/04/26/dnsdist-1-4-0-alpha2-with-dns-over-https-support/|access-date=2021-05-10|website=PowerDNS Blog|language=en}}

== Unbound ==

Unbound, an open source DNS resolver created by NLnet Labs, has supported DoH since version 1.12.0, released in October 2020.{{cite web |last1=Wijngaards |first1=Wouter |title=Unbound 1.12.0 released |url=https://www.nlnetlabs.nl/news/2020/Oct/08/unbound-1.12.0-released/ |website=NLnet Labs |date=8 October 2020 |access-date=24 October 2020}}{{cite web |last1=Dolmans |first1=Ralph |title=DNS-over-HTTPS in Unbound |url=https://blog.nlnetlabs.nl/dns-over-https-in-unbound/ |website=The NLnet Labs Blog |date=9 October 2020 |access-date=24 October 2020}} It first implemented support for DNS encryption using the alternative DoT protocol much earlier, starting with version 1.4.14, released in December 2011.{{cite web |last1=Wijngaards |first1=Wouter |title=Unbound 1.4.14 release |url=https://lists.nlnetlabs.nl/pipermail/unbound-users/2011-December/002155.html |website=Unbound-users mailing list |date=19 December 2011 |access-date=24 October 2020}}{{cite web |last1=Wijngaards |first1=Wouter |title=dns over ssl support |url=https://github.com/NLnetLabs/unbound/commit/aa0536dcb5846206d016a03d8d66ad4279247d9e |website=GitHub |access-date=24 October 2020 }} Unbound runs on most operating systems, including distributions of Linux, BSD, MacOS, and Windows.

= Web browsers =

{{See also|Comparison of web browsers#Protocol_support}}

== Google Chrome ==

DNS over HTTPS is available in Google Chrome 83 or later for Windows, Linux, and macOS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted.{{cite web |title=DNS over HTTPS (aka DoH) |url=https://www.chromium.org/developers/dns-over-https |access-date=23 May 2020 |archive-url=https://web.archive.org/web/20200527144344/https://www.chromium.org/developers/dns-over-https |archive-date=27 May 2020 |url-status=live }} It is also possible to manually specify a preset or custom DoH server to use within the user interface.{{cite web |title=Chrome 83: rollout of DNS over HTTPS (Secure DNS) begins |date=20 May 2020 |url=https://www.ghacks.net/2020/05/20/chrome-83-rollout-of-dns-over-https-secure-dns-begins/ |access-date=20 July 2020 |archive-url=https://web.archive.org/web/20200601172707/https://www.ghacks.net/2020/05/20/chrome-83-rollout-of-dns-over-https-secure-dns-begins/ |archive-date=1 June 2020 |url-status=live }}

In September 2020, Google Chrome for Android began staged rollout of DNS over HTTPS. Users can configure a custom resolver or disable DNS over HTTPS in settings.{{Cite news|last=Catalin Cimpanu|title=DNS-over-HTTPS (DoH) support added to Chrome on Android|language=en|work=ZDNet|url=https://www.zdnet.com/article/dns-over-https-doh-support-added-to-chrome-on-android/|access-date=2021-02-03}}

Google Chrome has 5 DNS over HTTPS providers pre-configured which are Google Public DNS, Cloudflare's 1.1.1.1, Quad9's 9.9.9.9, NextDNS, and CleanBrowsing.{{Cite web |title=DNS over HTTPS (aka DoH) |url=https://www.chromium.org/developers/dns-over-https/ |access-date=2022-05-05 |website=www.chromium.org}}

== Microsoft Edge ==

Microsoft Edge supports DNS over HTTPS, configurable via the settings page. When enabled, and the operating system is configured with a supported DNS server, Edge will upgrade DNS queries to be encrypted. It is also possible to manually specify a preset or custom DoH server to use within the user interface.{{Cite web|title=How to enable DNS-over-HTTPS (DoH) in Windows 10|url=https://www.bleepingcomputer.com/news/microsoft/how-to-enable-dns-over-https-doh-in-windows-10/|access-date=2021-01-23|website=BleepingComputer|language=en-us}}

== Mozilla Firefox ==

File:DNS over HTTPS information on Firefox 89 screenshot.png

In 2018, Mozilla partnered with Cloudflare to deliver DoH for Firefox users that enable it (known as Trusted Recursive Resolver).[https://wiki.mozilla.org/Trusted_Recursive_Resolver Trusted Recursive Resolver] On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare's resolver by default.{{Cite web|title=Firefox continues push to bring DNS over HTTPS by default for US users|url=https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users|last=Deckelmann|first=Selena|website=The Mozilla Blog|language=en-US|access-date=2020-05-28|archive-url=https://web.archive.org/web/20200527153025/https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/|archive-date=2020-05-27|url-status=live}}

== Opera ==

Opera supports DoH, configurable via the browser settings page.{{cite web |title=Changelog for 67 |date=3 December 2019 |url=https://blogs.opera.com/desktop/changelog-for-67/#b3575.2 |access-date=23 August 2020}} By default, DNS queries are sent to Cloudflare servers.{{cite web |title=Here's how to enable DoH in each browser, ISPs be damned |website=ZDNet |url=https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/ |access-date=28 May 2020 |archive-url=https://web.archive.org/web/20200609011759/https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/ |archive-date=9 June 2020 |url-status=live }}

= Public DNS servers =

{{Main|Public recursive name server}}

DNS over HTTPS server implementations are already available free of charge by some public DNS providers.

Implementation considerations

Many issues with how to properly deploy DoH are still being resolved by the internet community including, but not limited to:

  • Stopping third-parties from analyzing DNS traffic for security purposes
  • Disruption of DNS-level parental controls and content filters
  • Split DNS in enterprise networks{{Citation needed |date=March 2021}}
  • CDN localization{{Citation needed |date=March 2021}}

= Analysis of DNS traffic for security purposes =

DoH can impede analysis and monitoring of DNS traffic for cybersecurity purposes; the 2019 DDoS worm Godlua used DoH to mask connections to its command-and-control server.{{Cite web|last=Cimpanu|first=Catalin|title=DNS-over-HTTPS causes more problems than it solves, experts say|url=https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/|access-date=2019-11-19|website=ZDNet|language=en|archive-url=https://web.archive.org/web/20191108033455/https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/|archive-date=2019-11-08|url-status=live}}{{Cite web|url=https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/|title=First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol|last=Cimpanu|first=Catalin|website=ZDNet|language=en|access-date=2019-11-19|archive-url=https://web.archive.org/web/20191027071310/https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/|archive-date=2019-10-27|url-status=live}}

In January 2021, NSA warned enterprises against using external DoH resolvers because they prevent DNS query filtering, inspection, and audit. Instead, NSA recommends configuring enterprise-owned DoH resolvers and blocking all known external DoH resolvers.{{Cite web|last=Goodin|first=Dan|date=2021-01-15|title=The NSA warns enterprises to beware of third-party DNS resolvers|url=https://arstechnica.com/information-technology/2021/01/the-nsa-warns-enterprises-to-beware-of-third-party-dns-resolvers/|access-date=2021-03-17|website=Ars Technica|language=en-us}}

= Disruption of content filters =

DoH has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; However, there are DNS providers that offer filtering and parental controls along with support for DoH by operating DoH servers.{{cite news |last1=Gallagher |first1=Sean |title=New Quad9 DNS service blocks malicious domains for everyone |url=https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/ |access-date=14 November 2021 |publisher=Ars Technica |date=16 November 2017 |quote=The system blocks domains associated with botnets, phishing attacks, and other malicious Internet hosts.}}{{Cite web |title=NextDNS |url=https://nextdns.io/ |access-date=2023-12-16 |website=NextDNS |language=en}}

The Internet Service Providers Association (ISPA)—a trade association representing British ISPs—and the also British body Internet Watch Foundation have criticized Mozilla, developer of the Firefox web browser, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU Directive on Copyright in the Digital Single Market, and Donald Trump), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure".{{Cite web|url=https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/|title=UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS'|last=Cimpanu|first=Catalin|website=ZDNet|language=en|access-date=2019-07-05|archive-url=https://web.archive.org/web/20190705024143/https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/|archive-date=2019-07-05|url-status=live}}{{Cite web|url=https://techcrunch.com/2019/07/05/isp-group-mozilla-internet-villain-dns-privacy/|title=Internet group brands Mozilla 'internet villain' for supporting DNS privacy feature|website=TechCrunch|date=5 July 2019 |language=en-US|access-date=2019-07-19}} In response to the criticism, the ISPA apologized and withdrew the nomination.{{Cite web|url=https://www.itpro.co.uk/go/34335|title=British ISPs fight to make the web LESS secure|website=IT PRO|date=14 September 2019 |language=en|access-date=2019-09-14}}{{Cite web|url=https://hub.packtpub.com/ispa-nominated-mozilla-in-the-internet-villain-category-for-dns-over-https-push-withdrew-nominations-and-category-after-community-backlash/|title=ISPA nominated Mozilla in the "Internet Villain" category for DNS over HTTPs push, withdrew nominations and category after community backlash|last=Patrawala|first=Fatema|date=2019-07-11|website=Packt Hub|language=en-US|access-date=2019-09-14|archive-url=https://web.archive.org/web/20191204075913/https://hub.packtpub.com/ispa-nominated-mozilla-in-the-internet-villain-category-for-dns-over-https-push-withdrew-nominations-and-category-after-community-backlash/|archive-date=2019-12-04|url-status=live}} Mozilla subsequently stated that DoH will not be used by default in the British market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens".{{Cite news|url=https://www.theguardian.com/technology/2019/sep/24/firefox-no-uk-plans-to-make-encrypted-browser-tool-its-default|title=Firefox: 'no UK plans' to make encrypted browser tool its default|last=Hern|first=Alex|date=2019-09-24|work=The Guardian|access-date=2019-09-29|language=en-GB|issn=0261-3077|archive-url=https://web.archive.org/web/20190928204045/https://www.theguardian.com/technology/2019/sep/24/firefox-no-uk-plans-to-make-encrypted-browser-tool-its-default|archive-date=2019-09-28|url-status=live}}

= Censorship by Chinese government =

In July 2020, iYouPort, the University of Maryland, and the Great Firewall Report, reported that the Great Firewall (GFW) by the Chinese government blocks TLS connections using the encrypted SNI extension in China.{{Cite web |title=Great Firewall of China blocks encrypted SNI extension {{!}} Cryptography & Security Newsletter {{!}} Feisty Duck |url=https://www.feistyduck.com/newsletter/issue_68_great_firewall_of_china_blocks_encrypted_sni_extension |access-date=2025-04-06 |website=www.feistyduck.com}}

See also

References

{{Reflist}}