DNS-over-HTTPS changed almost nothing about how DNS answers are produced and almost everything about who gets to watch the question.
That’s why the politics got so heated.
At the protocol level, DoH is not mystical. It takes DNS queries that would normally travel in plaintext over UDP port 53 and wraps them in HTTPS on port 443. Same resolver logic on the other end. Same records. Same questions. Different transport. That sounds modest until you remember how much network policy, censorship, parental filtering, enterprise inspection, and ISP telemetry depended on the old plaintext behavior.
One transport change. Huge argument.
What Traditional DNS Exposed
DNS was designed in the 1980s with no privacy considerations. Every query your device sends to a resolver travels in plaintext. Your ISP can see every domain you resolve. So can anyone else on the network path — a corporate proxy, a coffee shop router, a government surveillance system.
This was fine when DNS was designed. Privacy on the internet wasn’t a concept yet. The internet had a few thousand hosts and everyone was roughly cooperating.
By 2015, this plaintext behavior had become one of the largest passive surveillance channels on the internet. ISPs used DNS data for advertising, analytics, and content injection. Government censorship systems filtered by DNS. Corporate proxies logged DNS for compliance. And anyone running a packet capture on a shared network could see exactly which sites every user was visiting.
What DoH Changes
DoH encrypts DNS queries inside HTTPS. The queries travel on port 443, mixed in with regular web traffic. An observer on the network path sees HTTPS connections to a resolver (like Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8) but can’t see the domain names being queried.
Your ISP can still see that you’re connecting to the resolver. They can see the IP addresses you subsequently connect to. They can sometimes infer the domain from the IP (especially for sites on dedicated IPs). But the DNS query itself — “what’s the IP for example.com?” — is hidden.
For the average user, this closes the most obvious passive surveillance channel. The ISP’s ability to build a complete log of every domain you visit goes from trivial to expensive.
DoH vs DoT: The Political Distinction
DNS-over-TLS (DoT) does the same thing — encrypts DNS queries — but on its own dedicated port: 853. The encryption is equivalent. The privacy improvement is equivalent.
The political difference: port 853 is easy to identify and block. A network operator who wants to prevent encrypted DNS can simply block port 853. DoH on port 443 is invisible — it looks like regular HTTPS traffic. Blocking port 443 means blocking the entire web.
This is why DoH is more controversial than DoT. DoT gives network operators a choice: allow or block encrypted DNS. DoH takes that choice away. You can’t block DoH without blocking HTTPS.
ISPs hate this. Enterprise IT hates this. Governments running DNS-based censorship hate this. They all had the same objection: “you’re taking away our ability to see and control DNS resolution on our networks.”
They’re right. That’s the point.
The Pushback Was Real
When Mozilla announced DoH by default in Firefox (initially routing all DNS to Cloudflare), the backlash was intense.
ISPs argued they needed DNS visibility for network management, abuse prevention, and compliance with court orders. UK ISPs briefly labeled Mozilla an “internet villain” because DoH would bypass ISP-level content filters, including legally mandated child safety filters.
Enterprise IT argued that DoH bypasses internal DNS policies. If a corporate laptop uses the system resolver, the company controls DNS — they can block malicious domains, enforce acceptable use policies, route internal domains correctly. If Firefox sends DNS directly to Cloudflare, all of that breaks.
Governments argued that DNS-based censorship exists for valid reasons (child abuse material, terrorism content, court-ordered blocks) and DoH undermines those mechanisms.
None of these arguments are entirely wrong. They’re just in tension with the equally valid argument that plaintext DNS is a surveillance channel and people deserve the option to encrypt their queries.
The DNSSEC Confusion
DoH and DNSSEC solve different problems but get confused constantly.
DoH provides privacy — who can see the query. It encrypts the transport so observers can’t read your DNS questions.
DNSSEC provides integrity — is the answer authentic. It signs DNS responses so you can verify they haven’t been tampered with.
DoH without DNSSEC gives you encrypted lies. The query is private, but the answer could be forged. DNSSEC without DoH gives you authenticated responses that everyone on the path can see.
You want both. Most people have neither. DoH adoption is growing through browser defaults. DNSSEC adoption is stuck under 20%. The two technologies that need each other are deploying on completely different timelines.
What Actually Changed
The technical change landed in browser defaults. Firefox enables DoH by default in the US (using Cloudflare, with a fallback). Chrome follows the system resolver’s DoH capability — if your configured resolver supports DoH, Chrome uses it automatically.
The practical impact: millions of users are now encrypting DNS without knowing it. For those users, ISP-level DNS surveillance became significantly harder.
For users on corporate networks, enterprise IT can detect and disable DoH through various mechanisms (canary domains, group policy, network-level resolver enforcement). The bypass isn’t total.
For users in countries with DNS-based censorship, DoH provides a circumvention tool — but only if the DoH resolver itself isn’t blocked. China blocks access to major DoH resolvers. The arms race continues.
The Incomplete Picture
DoH encrypted the DNS query. Good. But SNI still leaks the destination in the TLS handshake. So you encrypted the question and then announced the answer in the next packet.
Until ECH (Encrypted Client Hello) is widely deployed, the privacy improvement from DoH is real but partial. You hid which domain you’re looking up. You still reveal which domain you’re connecting to.
The full privacy stack — DoH for query encryption, DNSSEC for answer integrity, ECH for destination privacy — exists in specification. In practice, most connections have one of these at best.
We solved the easy part first. The hard parts are taking longer. As usual.