Google Public DNS Adds DNS over HTTPS (DoH) Support – Overview and Implications

Welcome to the “UC International Technology” public account, which provides high‑quality technical articles covering client, server, algorithm, testing, data, frontend and other topics.

Google’s official blog announced that Google Public DNS now officially supports DNS over HTTPS (DoH), offering users convenient access while protecting privacy.

Google notes that since the launch of its public DNS service eight years ago, the network environment has changed dramatically, and users urgently need privacy protection. The goal of Google Public DNS is to improve security and accuracy for users worldwide, so it has added DoH support.

The current Google Public DNS service is fully integrated with DoH and minimizes TLS overhead, employing TLS 1.3 and TCP Fast Open. Although encryption can affect query speed, optimizations have made the impact negligible for most users.

Why DNS needs encryption

Traditional DNS was designed when the Internet was still a toy; security was not considered, so DNS communication is entirely plaintext, lacking both confidentiality and integrity.

Without confidentiality, anyone monitoring your traffic can see which domain names you query, creating privacy risks.

Without integrity, an attacker can modify your traffic and tamper with DNS responses, leading to DNS spoofing or cache poisoning.

To address these shortcomings, several protocols have been created to strengthen DNS security, with DoH being the most recent and widely regarded as the most promising.

What is DoH

DoH stands for “DNS over HTTPS”. As the name suggests, it runs DNS queries inside an HTTPS tunnel, and HTTPS itself is HTTP over TLS, making DoH a double‑tunnel protocol.

DoH relies on TLS to provide confidentiality and integrity, so even if someone monitors your traffic they cannot distinguish which TLS streams are DNS queries and which are regular web traffic. In contrast, DNS‑over‑TLS (DoT) traffic can be identified separately.

Because DoH is built on HTTP, most mainstream programming languages already have mature HTTP client libraries, making it very easy to implement a DoH client in any language.

Discussion on DoH

Browser support

Firefox has supported DoH since version 62 (see Mozilla blog).

Chrome/Chromium has supported DoH since version 66 (see Chromium issue tracker).

Although Firefox and Chrome/Chromium have added support, users are advised not to rush into using DoH immediately; new features may still have undisclosed security issues, so waiting a few releases is prudent.

Reference article: https://program‑think.blogspot.com/2018/10/Comparison-of-DNS-Protocols.html