Document your code
Every project on GitHub comes with a version-controlled wiki to give your documentation the high level of care it deserves. It’s easy to create well-maintained, Markdown or rich text documentation alongside your code.
Sign up for free See pricing for teams and enterprisesDNS over HTTPS
DOH
Do DNS resolves over HTTPS for privacy, performance, and security. It also makes it easier to use a name server of your choice instead of the one configured for your system.
Spec
RFC 8484 - DNS Queries over HTTPS (DoH)
Publicly available servers
| Who runs it | Base URL | Comment |
|---|---|---|
| AdGuard | Default: https://dns.adguard.com/dns-query Family protection: https://dns-family.adguard.com/dns-query |
Default provides ad-blocking at DNS level, while Family protection adds adult site blocking. |
| https://dns.google/dns-query | Full RFC 8484 support | |
| Cloudflare |
https://cloudflare-dns.com/dns-query also available via Tor onion service |
Supports both -04 and -13 content-types |
| Quad9 | Recommended: https://dns.quad9.net/dns-query Secured: https://dns9.quad9.net/dns-query Unsecured: https://dns10.quad9.net/dns-query Secured w/ECS Support: https://dns11.quad9.net/dns-query |
Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet Recommend is currently identical to secure. |
| Cisco Umbrella/OpenDNS | https://doh.opendns.com/dns-query | Experimental, No DNSSEC |
| CleanBrowsing | https://doh.cleanbrowsing.org/doh/family-filter/ | anycast DoH server with parental control (restricts access to adult content + enforces safe search) |
| Comcast | https://doh.xfinity.com/dns-query | Experimental, DNSSEC |
| Cox | https://dohdot.coxlab.net/dns-query | Experimental, No DNSSEC |
| CZ.NIC | https://odvr.nic.cz/doh | Experimental, using Knot Resolver |
| nextdns.io |
https://dns.nextdns.io/<config_id> Create a config ID |
The first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet. |
| @chantra | https://dns.dnsoverhttps.net/dns-query | "toy server" which runs doh-proxy |
| @jedisct1 | https://doh.crypto.sx/dns-query | a server which runs another project called doh-proxy, written in Rust. |
| PowerDNS | https://doh.powerdns.org | Based on dnsdist-doh branch |
| blahdns.com | Finland: https://doh-fi.blahdns.com/dns-query Japan: https://doh-jp.blahdns.com/dns-query Germany: https://doh-de.blahdns.com/dns-query |
Based on Go implementation, knot-resolver, Unbound with DNSSEC, No ECS, No logs, Adsblock |
| ffmuc.net | https://doh.ffmuc.net/dns-query | DoH-Server of Freifunk München. No logging, no filter, DNSSEC, own recursion. More in our wiki |
| NekomimiRouter.com | https://dns.dns-over-https.com/dns-query | Runs Go implementation. Does recursion itself with no upstream servers. Toy server may fail, please report if fails |
| SecureDNS.eu | https://doh.securedns.eu/dns-query | No Logging & DNSSEC |
| Rubyfish.cn | https://dns.rubyfish.cn/dns-query | East China Zone, Based on https://github.com/m13253/dns-over-https |
| ContainerPI | Unfiltered by Cloudflare: https://dns.containerpi.com/dns-query Filtered by CleanBrowsing, blocks adult content: https://dns.containerpi.com/doh/family-filter/ Filtered, blocks malicious domains only: https://dns.containerpi.com/doh/secure-filter/ |
Based on m13253/DNS-over-HTTPS, no logging, EDNS Client Subnet enabled. Multiple nodes in China Mainland(limited), China Taiwan, Japan, South Korea, India, Germany, România, Russia, USA and Brazil. |
| @publicarray dns.seby.io | https://doh-2.seby.io/dns-query https://doh.seby.io:8443/dns-query | Australian server that runs @m13253's Go implementation, Unbound with DNSSEC, No ECS, and No logs |
| Commons Host | https://commons.host | ~20 PoPs worldwide, Node.js/playdoh over Knot Resolver. |
| DnsWarden | Adblocking DNS: https://doh.dnswarden.com/adblock Uncensored DNS: https://doh.dnswarden.com/uncensored Adult-filter DNS: https://doh.dnswarden.com/adult-filter |
No query/IP logging with DNSSEC enabled. Blocks ads and trackers in Adblocking DNS. No filtering in Uncensored DNS. Blocks adult content, ads, trackers and also enforces force safe search for search engines and youtube in Adult-filter DNS. |
| aaflalo.me | Server US: https://dns-nyc.aaflalo.me/dns-query Server EU: https://dns.aaflalo.me/dns-query |
Runs on Star Brilliant's dns-over-https Both servers check for DNSSEC and block advertising |
| Foundation for Applied Privacy | https://doh.applied-privacy.net/query | No query/IP logging, no filtering, QNAME minimization, no EDNS client subnet, TLS 1.3, DNSSEC, RFC7706, RFC8198; https://applied-privacy.net/services/dns/ |
| captnemo.in | https://doh.captnemo.in/dns-query | Runs dnss with local unbound resolver running DNSCrypt with DNSSEC support as the upstream. Privacy Policy. More details at https://captnemo.in/doh/. No logging or filtering. Runs in Bangalore, India |
| Tiarap |
https://doh.tiar.app/dns-query https://doh.tiarap.org/dns-query |
Based in Singapore, No logging, block Ad/Ad-tracking/Malware, No ECS, DNSSEC |
| DNS.SB | https://doh.dns.sb/dns-query | DNSSEC enabled |
| FAELIX | https://rdns.faelix.net/ | No logging, based on dnsdist-doh RC querying our powerdns-recursor resolvers, multiple nodes in UK and CH, more info |
| doh.li | https://doh.li/dns-query | Runs on dns-over-https, no logging, EDNS Client Subnet enabled, based in DigitalOcean London. DNSSEC and adblock not currently enabled. |
| armadillodns.net | https://doh.armadillodns.net/dns-query | No source IP logging. |
| jp.tiar.app |
https://jp.tiar.app/dns-query https://jp.tiarap.org/dns-query |
No Censorship, No Logging, No ECS, support DNSSEC in Japan |
| Association 42l | https://doh.42l.fr/dns-query | DNSSEC, not logging queries' content, uses doh-proxy and edgedns for caching. Queries proxied randomly through FFDN members' open DNS resolvers (French ISPs committing for net neutrality). |
| Hostux.net | Uncensored DNS: https://dns.hostux.net/dns-query Adblocking DNS: https://dns.hostux.net/ads |
DNSSEC, no EDNS Client-Subnet, not logging queries' content, hosted in Luxembourg. |
| Andrews & Arnold | https://dns.aa.net.uk/dns-query | no logging (see DNS Disclaimer) |
| @matthewgall - mydns.network | https://adblock.mydns.network/dns-query (adblock, using PiHole) | no logging, DNSSEC enforcing, DDoS protected (using Spectrum by Cloudflare), anycast) |
| ibksturm.synology.me | https://ibksturm.synology.me/dns-query | doh-server (nginx - dnsproxy - unbound), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone Copy Hosted in Switzerland by ibksturm, aka Andreas Ziegler. |
| jcdns.fun | https://jcdns.fun/dns-query | secure nginx, Non-Logged / Uncensored, hosted on Digital Ocean VPS by jamesacampbell AKA James Campbell. |
| @null31 | https://ibuki.cgnat.net/dns-query | Brazilian server that runs dnsdist, Unbound with DNSSEC doing recursion with no upstream servers, QNAME minimization, TLS 1.3, DoT, uncensored, no logging, no ECS, hosted on Google Cloud VPS by null31. Toy server -- may fail. |
| TWNIC | https://dns.twnic.tw/dns-query | No source IP logging. Operated by Quad101 project, according to this announcement |
| blockerDNS | https://example.doh.blockerdns.com/dns-query | DNS-based ad-blocking service; One-man operation; ZERO IP and DNS query logging for DoH and DoT. Charges 99c per month for https DOH service |
| Digitale Gesellschaft | https://dns.digitale-gesellschaft.ch/dns-query | No query/IP logging, no filtering, QNAME minimization, TLS 1.3, DNSSEC; https://www.digitale-gesellschaft.ch/dns/ |
| LibreDNS | https://doh.libredns.gr/dns-query | no logging, TLS 1.3, No DNSSEC |
| pi-dns.com |
https://doh.centraleu.pi-dns.com/dns-query https://doh.northeu.pi-dns.com/dns-query https://doh.westus.pi-dns.com/dns-query https://doh.eastus.pi-dns.com/dns-query |
Public ad-blocking DNS service built on Pi-hole that support DNS over HTTPS (DoH) and DNS over TLS (DoT). |
| dns.flatuslifir.is | https://dns.flatuslifir.is/dns-query | Public adblock server that supports DoT & DoH for fun and learning, no logging, supports DNSSEC, qname-minimisation, ECS is not enabled. Located in Iceland, built on pihole, nginx, unbound, m13253/DNS-over-HTTPS |
Supported in browsers and clients
| Name | Version | Comments |
|---|---|---|
| Firefox | 62 | Firefox DNS-over-HTTPS |
| Bromite | 67.0.3396.88 | How to enable DoH |
| curl | 7.62.0 | See DOH-implementation |
| OkHttp | 3.11 | See Providers |
| curl-doh | n/a | basic stand-alone DoH client that uses curl |
| Chrome | 66 | https://bugs.chromium.org/p/chromium/issues/detail?id=799753 |
DOH Tools
| Name | Author/Organization | Comments |
|---|---|---|
| coredns | Cloudflare | CoreDNS is a DNS server/forwarder, written in Go from the Cloud Native Computing Foundation. |
| doh-proxy | tools for DoH | |
| dns2doh | Daniel | tool for generating DOH responses and questions. |
| doh-proxy | Frank Denis | server-side proxy in rust |
| doh-php-client | Daniel Cid | can be used to test and run DoH requests via PHP applications. |
| doh-js-client | Peter Lai | client-side implementation of DoH, can be used in nodejs backend. |
| jDnsProxy | Travis Burtrum | DNS proxy and cache, implementing DNS-over-TLS, DNS-over-HTTPS, and Serve-Stale |
| dns-over-https | Star Brilliant | server-side and client-side implementation, written in Golang |
| dnsdist | PowerDNS | supports doh, see https://dnsdist.org/guides/dns-over-https.html |
| dnss | Alberto Bertogli | daemon written in Go which acts as a proxy (the most common use case), and as a server (in case you want end-to-end control). |
| nss-tls | Dima Krasner | a daemon that makes gethostbyname(), getaddrinfo(), etc. happen through DoH, without any change to applications, thus transparently migrating all applications that don't use their own resolver (like some browsers) from DNS to DoH. |
| dealdoh | Maxime Elomari | a middleware to proxy DoH requests to different DNS upstreams, written in PHP. |
| Encrypted-DNS | Siujoeng Lau | DNS-over-HTTPS forwarder written in Python |
| RouteDNS | Frank Olbricht | a flexible stub resolver, proxy, and router with support for DoH, DoT, and plain DNS written in Go. |
| h2odoh | Max Kostikov | an implementation with H2O HTTP/2 server using embedded mruby. |
| Encrypted DNS Server | Frank Denis | can serve DNSCrypt and DoH traffic simultaneously, written in Rust. |
| quart-doh | Matthieu Treussart | HTTP/2 server who serves a DOH proxy written in Python, with Quart Python web microframework. |
| EasyDoH | ElevenPaths | a simple add-on for Firefox that allows one to easily activate DNS over HTTPS and its working mode with just one click. |
| dohjs | BYU IMAAL | Client DoH JavaScript library for accessing DNS information from web applications. Can be tested at dohjs.org |