How does DNS on HTTPS (DoH) improve online privacy?


Companies like Microsoft, Google, and Mozilla are promoting the development of DNS through HTTPS (DoH). This technology will encrypt DNS lookups to improve online privacy and security. But this is controversial: Comcast is lobbying against it . This is what you need to know.

What is DNS over HTTPS?

The network has been working hard to encrypt all content by default. At this time, most of the websites you visit may use HTTPS encryption . Modern web browsers like Chrome now mark all websites that use standard HTTP as ” unsecure . ” HTTP/3 (the new version of the HTTP protocol) has added an encryption function.

This encryption ensures that no one can tamper with the web page while you are viewing it or snooping on the work you are doing online. For example, if you connect to, the network operator (whether it is a corporate public Wi-Fi hotspot or your ISP) will only see that you are connected to They cannot see the article you are reading, nor can they modify the Wikipedia article in transit.

However, in the process of moving towards encryption, DNS has been left behind. The domain name system makes it possible to connect to websites through domain names instead of using digital IP addresses. You enter a domain name (for example,, and the system will contact the configured DNS server to obtain the IP address associated with Then it will connect to that IP address.

So far, these DNS lookups have not been encrypted. When you connect to the website, the system triggers a request asking you to find the IP address associated with the domain. Anyone in between (maybe your ISP, or just a public Wi-Fi hotspot recording traffic) can record the domain you want to connect to.

DNS via HTTPS turns off this supervision. When using HTTPS for DNS, the system will establish a secure encrypted connection with the DNS server, and transmit requests and responses through the connection. Anyone in between not see the domain name you are looking for or tampering response.

Today, most people use DNS servers provided by their Internet service providers. However, there are many third-party DNS servers, such as Cloudflare’s , Google Public DNS and OpenDNSThese third-party providers are one of the first third-party providers to support server-side DNS support on HTTPS. To use DNS over HTTPS, you need both a DNS server and a client that supports it (such as a web browser or operating system).

Related: How to fix DNS Probe Finished No Internet Error

Who will support it?

Google and Mozilla have tested DNS through HTTPS in Google Chrome and Mozilla Firefox. On November 17, 2019, Microsoft announced that it will use HTTPS-based DNS in Windows networks. This will ensure that every application on Windows can get the benefits of DNS over HTTPS without the need for explicit coding to support it.

Google said that by default, it will enable DoH for 1% of users starting with Chrome 79, and it is expected to be released on December 10, 2019. After the version is released, you can also go to chrome://flags/#dns-over-httpsenable it.

Dns issues

Mozilla said it will enable HTTPS-based DNS for everyone in 2019. In today’s stable version of Firefox, you can go to Menu> Options> General, scroll down, and click “Settings” under Network Settings to find this option. Activate “Enable DNS via HTTPS”.

dns issuess

Apple has not yet commented on the HTTPS-based DNS plan, but we hope that the company will follow and implement support in iOS and macOS and other industries.

This feature has not been enabled for everyone by default, but once completed, HTTPS-based DNS should make using the Internet more private and secure.

Why did Comcast lobby against it?

So far, this sounds uncontroversial, but it is true. Comcast is apparently lobbying Congress to prevent Google from launching DNS via HTTPS.

Comcast (Comcast) in the presentation submitted to the congressman, obtained by the motherboard, Comcast (Comcast) argued that Google is pursuing a “unilateral plan” (together with Mozilla) to activate DoH and “with Google Concentrate [concentrate] most of the DNS data on a global scale”, the decentralization of the Internet architecture has undergone a fundamental change. “

Frankly speaking, most of them are wrong. Mozilla’s Marshell Erwin told Motherboard, “The overall slideshow is extremely misleading and inaccurate.” Chrome product manager Kenji Beaheux pointed out in a blog that Google Chrome will not force anyone to change its DNS provider. Chrome will obey the system’s current DNS provider-if it does not support DNS over HTTPS, Chrome will not use DNS over HTTPS.

And, since then, Microsoft has announced plans to support DoH at the Windows operating system level. With the support of Microsoft, Google and Mozilla, this is hardly Google’s “unilateral” plan.

Some people think Comcast does not like DoH because it is no longer able to collect DNS lookup data. However, Comcast promises not to monitor your DNS lookups. The company insists that it supports encrypted DNS, but wants a “collaborative, industry-wide solution” rather than a “unilateral action.” Comcast’s news is messy-its argument against DNS over HTTPS is clearly in the eyes of lawmakers, not in the eyes of the public.

How will DNS over HTTPS work?

In addition to Comcast’s weird objection, let’s take a look at how HTTPS-based DNS actually works. When DoH support takes effect in Chrome, Chrome will only use DNS via HTTPS when the current DNS server of the system supports it.

In other words, if you have Comcast as an internet service provider, and Comcast refuses to support DoH, then Chrome can run as it does today without encrypting your DNS lookups. If you have configured other DNS servers-maybe you have chosen Cloudflare DNS, Google Public DNS or OpenDNS, or your ISP’s DNS server does support DoH-Chrome will use encryption to communicate with your current DNS server to automatically “upgrade” the connection . Users may choose to abandon DNS providers that do not provide DoH (such as Comcast’s DNS providers), but Chrome will not do this automatically.

This also means that any content filtering solution that uses DNS will not be interrupted. If you use OpenDNS and configure certain websites to be blocked, Chrome will keep OpenDNS as the default DNS server and nothing will change.

Firefox works slightly differently. Mozilla chose to work with Cloudflare to become Firefox’s encrypted DNS provider in the United States. Even if you configure other DNS servers, Firefox will send your DNS requests to Cloudflare’s DNS server. Firefox will allow you to disable this feature or use a custom encrypted DNS provider, but Cloudflare will be the default setting.

Firefox encrypted DNS lookups via Cloudflare alerts.

Microsoft said that the DNS on HTTPS in Windows 10 is similar to Chrome. Windows 10 will follow your default DNS server and only enable DoH if the DNS server of your choice supports it. However, Microsoft said it will guide “privacy-conscious Windows users and administrators” to use DNS server settings.

Windows 10 may encourage you to switch your DNS server to a server that has been protected by DoH, but Microsoft says that Windows will not switch it for you.




Please enter your comment!
Please enter your name here