DNS queries and responses have historically been sent as plaintext, potentially compromising the privacy of internet users – including visitors to encrypted HTTPS websites. DoH prevents potential attackers and/or government authorities from reading users’ DNS queries, and also buries DNS traffic on port
443 (the standard HTTPS port), where it is difficult to distinguish from other encrypted traffic.
DoH in Chrome and Firefox
- The Chromium Blog announced on September 10, 2019 that Chrome 78 will include an experiment that will use DoH if the user’s existing DNS provider is on a list of selected DoH-compatible providers included with the browser. If the user’s provider is not on the list, the browser will fall back to the plain-text DNS protocol.
- Mozilla announced on September 6, 2019 that they will be rolling out DoH as a default setting for its Firefox browser in the USA “starting in late September.” Mozilla’s plan has been criticized because, unlike Google’s implementation, Firefox will use Cloudflare’s DoH servers by default (although the user may manually specify another provider).
What About DNS over TLS?
DNS over TLS (DoT), published by the IETF in RFCs 7858 and 8310, is similar to DoH in that it encrypts DNS queries and responses; however, DoT operates over port
853 (as opposed to DoH’s port
443). In support of DoT over DoH, some network security experts argue that using a distinct port for DNS requests is essential for effective traffic inspection and control.