What Is DNS Over HTTPS (DoH)?
DNS over HTTPS (DoH) encrypts DNS queries by sending them through HTTPS connections instead of plain UDP. This prevents ISPs, network administrators, and attackers from seeing or tampering with which domains you're visiting.
Why It Matters
Traditional DNS queries are sent in plain text over UDP. Anyone on the network path — your ISP, a coffee shop Wi-Fi operator, or an attacker — can see which domains you’re visiting. DNS over HTTPS wraps these queries in encrypted HTTPS connections.
For domain forwarding, DoH is transparent. It encrypts the DNS lookup that finds Domain Forward’s servers, and then the redirect itself is handled over HTTPS — so the entire chain from DNS query to redirect is encrypted.
How It Works
Traditional DNS:
Browser → DNS query (plain text, UDP port 53) → Resolver → ResponseAnyone on the network can read: “This user is looking up example.com”
DNS over HTTPS:
Browser → HTTPS POST to resolver (encrypted, port 443) → ResponseNetwork observers see encrypted HTTPS traffic to the resolver — they can’t read the domain being queried.
DoH vs Traditional DNS vs DNSSEC
| Feature | Traditional DNS | DoH | DNSSEC |
|---|---|---|---|
| Encrypted | No | Yes | No |
| Authenticated | No | TLS cert | Yes |
| Privacy | None | High | None |
| Prevents tampering | No | Yes (TLS) | Yes (signatures) |
How Domain Forward Relates
Domain Forward’s redirect chain benefits from DoH when visitors use DoH-enabled browsers:
- DNS query — encrypted via DoH (if browser supports it)
- Certificate provisioning — automatic SSL/TLS for your domain
- Redirect — served over HTTPS with a 301 status code
All three steps can be fully encrypted, providing end-to-end privacy.
Related Terms
Related Features
Frequently
asked questions
No. DoH encrypts the DNS lookup phase — finding the IP address for your domain. The redirect itself is already encrypted via HTTPS. DoH adds privacy for the DNS query, but doesn't change how the redirect works.
Most modern browsers (Chrome, Firefox, Edge) support DoH and many enable it by default. Users typically don't need to configure anything.
No. DNSSEC verifies that DNS responses are authentic (not tampered with). DoH encrypts DNS queries so they can't be read by third parties. They solve different problems and can work together.
Still Confused? Try It Free.
Set up your first domain forward in under 5 minutes. Free plan includes 5 domains.