DNS over HTTPS

Dima Krasner edited this page Nov 15, 2018 · 64 revisions

DOH

Do DNS resolves over HTTPS for privacy, performance and security. Also makes it easier to use a name server of your choice instead of the one configured for your system.

Spec

This is work in progress: https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-14

Working Group Draft: https://github.com/dohwg/draft-ietf-doh-dns-over-https

Publicly available servers

Who runs it Base URL Comment
Google https://dns.google.com/experimental
Cloudflare https://cloudflare-dns.com/dns-query Supports both -04 and -13 content-types
Quad9 Recommended: https://dns.quad9.net/dns-query
Secured: https://dns9.quad9.net/dns-query
Unsecured: https://dns10.quad9.net/dns-query
Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet
Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet
Recommend is currently identical to secure.
CleanBrowsing https://doh.cleanbrowsing.org/doh/family-filter/ anycast DoH server with parental control (restricts access to adult content + enforces safe search)
@chantra https://dns.dnsoverhttps.net/dns-query "toy server" which runs doh-proxy
@jedisct1 https://doh.crypto.sx/dns-query a server which runs another project called doh-proxy, written in Rust.
PowerDNS https://doh.powerdns.org Based on dnsdist-doh branch
blahdns.com Japan: https://doh.blahdns.com/dns-query
Germany: https://doh-de.blahdns.com/dns-query
Run on Go implementation, knot-resolver with DNSSEC
NekomimiRouter.com https://dns.dns-over-https.com/dns-query Runs Go implementation. Does recursion itself with no upstream servers. Toy server may fail, send email if fails
SecureDNS.eu https://doh.securedns.eu/dns-query No Logging & DNSSEC
Rubyfish.cn https://dns.rubyfish.cn/dns-query East China Zone, Based on https://github.com/m13253/dns-over-https
Commons Host https://commons.host ~20 PoPs worldwide, Node.js/playdoh over Knot Resolver.

Out-of-date servers

These don't support the draft-14 protocol

Who runs it Base URL Comment

Supported in browsers and clients

Name Version Comments
Firefox 62 temporary docs
Bromite 67.0.3396.88 How to enable DoH
curl 7.62.0 See DOH-implementation
OkHttp 3.11 See Providers
curl-doh n/a basic stand-alone DoH client that uses curl
Chrome 66 https://bugs.chromium.org/p/chromium/issues/detail?id=799753

DOH Tools

Facebook's doh-proxy and associated tools.

Daniel's dns2doh tool for generating DOH responses and questions.

Frank Denis' doh-proxy (server-side proxy) and dnscrypt-proxy (client proxy).

Daniel Cid's doh-php-client can be used to test and run DoH requests via PHP applications.

Travis Burtrum's jDnsProxy DNS proxy and cache, implementing DNS-over-TLS, DNS-over-HTTPS, and Serve-Stale

Star Brilliant's dns-over-https, with server-side and client-side implementation, written in Golang.

Alberto Bertogli's dnss, a daemon written in Go which act as a proxy (the most common use case), and as a server (in case you want end to end control).

Dima Krasner's nss-tls, a daemon that makes gethostbyname(), getaddrinfo(), etc' happen through DoH, without any change to applications, thus transparently migrating all applications that don't use their own resolver (like some browsers) from DNS to DoH.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.