DNS-over-TLS/HTTPS Server
The DNS-over-HTTPS service is currently not working on port 443. It has been temporarly moved to port 8443.
The TLS certificates have changed. Please observe the changes below
Welcome to the doh.defaultroutes.de DNS-over-TLS and DNS-over-HTTPS
Server.
1 Policy
This server does not keep logs or censors traffic.
2 DoT-Service
This server offers DNS-over-TLS (RFC 7858, Port 853).
2.1 Stubby Configuration
# doh.defaultroutes.de IPv4
- address_data: 109.230.224.150
tls_auth_name: "doh.defaultroutes.de"
tls_pubkey_pinset:
- digest: "sha256"
value: Bbr2V7ebQ9P0Gf59iktksDAEQOrOEDumhCsJpUQEwqE=
# doh.defaultroutes.de IPv6
- address_data: 2a05:bec0:32::2
tls_auth_name: "doh.defaultroutes.de"
tls_pubkey_pinset:
- digest: "sha256"
value: Bbr2V7ebQ9P0Gf59iktksDAEQOrOEDumhCsJpUQEwqE=
[...]
- Usage
$ kdig +tls @109.230.224.150 doh.defaultroutes.de ;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(CHACHA20-POLY1305) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8452 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; doh.defaultroutes.de. IN A ;; ANSWER SECTION: doh.defaultroutes.de. 2157 IN A 109.230.224.150 ;; Received 54 B ;; Time 2026-03-22 17:35:29 CET ;; From 109.230.224.150@853(TLS) in 40.7 ms $ dig +tls @109.230.224.150 doh.defaultroutes.de ; <<>> DiG 9.20.20 <<>> +tls @109.230.224.150 doh.defaultroutes.de ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8255 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;doh.defaultroutes.de. IN A ;; ANSWER SECTION: doh.defaultroutes.de. 2063 IN A 109.230.224.150 ;; Query time: 10 msec ;; SERVER: 109.230.224.150#853(109.230.224.150) (TLS) ;; WHEN: Sun Mar 22 17:37:03 CET 2026 ;; MSG SIZE rcvd: 54
3 DoH-Service
This server offers DNS-over-HTTPS (RFC 8484, Port 8443) via the URL
https://doh.defaultroutes.de:8443/dns-query
$ doh doh.defaultroutes.de https://doh.defaultroutes.de:8443/dns-query doh.defaultroutes.de from https://doh.defaultroutes.de:8443/dns-query TTL: 2201 seconds A: 109.230.224.150 AAAA: 2a05:bec0:0032:0000:0000:0000:0000:0002
4 DoH3-Service
This server offers DNS-over-HTTPS/3 (RFC 8484, Port 443/udp) via the URL
https://doh.defaultroutes.de/dns-query
5 DoQ-Service
This server offers DNS-over-QUIC (RFC 9250, Port 853/udp)
$ kdig +quic @doh.defaultroutes.de doh.defaultroutes.de ;; QUIC session (QUICv1)-(TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(CHACHA20-POLY1305) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;; doh.defaultroutes.de. IN A ;; ANSWER SECTION: doh.defaultroutes.de. 1655 IN A 109.230.224.150 ;; Received 54 B ;; Time 2026-03-22 17:43:50 CET ;; From 109.230.224.150@853(QUIC) in 85.4 ms
6 DNS-over-HTTPS Discussions
Some links to blog posts that discuss the "rights" or "wrongs" of DoH (and/or DoT). I link to these post to allow users of DNS privacy protocols to make up their mind about this protocols. I do not agree to all of the views expressed in these blog posts:
- Geoff Huston: DOH! (10/2018)
- Geoff Huston: More DOH (04/2019)
- Vittorio Bertola: The DoH dilemma (05/2019)
- P. McManus (Mozilla): The Benefits of HTTPS for DNS
- Brian Dickson, GoDaddy: DNS-over-HTTPS: Privacy and Security Concerns
- PowerDNS Blog: Centralised DoH is bad for privacy, in 2019 and beyond (09/2019)
- University of Cambridge: Firefox and DNS-over-HTTPS (09/2019)
- Mark Nottingham: Moving control to the endpoints: Motivations, challenges, and the path forward (06/2019)
7 DoH in Firefox
Some resources about DNS-over-HTTPS in the Mozilla Firefox Browser
- Mozilla: A cartoon intro to DNS over HTTPS (05/2018)
- Daniel Stenberg: Inside Firefox’s DOH engine (07/2018)
- Mozilla: Improving DNS Privacy in Firefox (07/2018)
- Mozilla: Firefox Nightly Secure DNS Experimental Results (08/2018)
- Mozilla: DNS over HTTPS (DoH) – Testing on Beta (09/2018)
- Mozilla: DNS-over-HTTPS (DoH) Update – Recent Testing Results and Next Steps (04/2019)
- Mozilla: DNS-over-HTTPS (DoH) Update – Detecting Managed Networks and User Choice (07/2019)
- Mozilla: What’s next in making Encrypted DNS-over-HTTPS the Default (09/2019)
- Mozilla: Firefox DNS-over-HTTPS
- Mozilla: Configuring Networks to Disable DNS over HTTPS
- Mozilla Policy Requirements for DNS over HTTPs Partners
- Daniel Stenberg: (unofficial) docs for Firefox TRR (DNS-over-HTTPS)
- ISC: Using Response Policy Zones to disable Mozilla DoH-by-default
- DNS-Operations-Mailinglist: use-application-dns.net
- Global Canary Information Page
- IETF: Internet Draft DNS Resolver-Based Policy Detection Domain (draft-grover-add-policy-detection)
8 DoH in Google Chrome
Some resources about DNS-over-HTTPS in the Google Chrome Browser
9 Presentations
9.1 by Dr. Roland van Rijswijk-Deij
- DNS privacy and security ChaosTreff Osnabrück February 2020 (en)
9.2 by ISC
- Encrypted DNS - DoH vs DoT Online Webinar December 2019 (en)
9.3 by Peter Koch
- A Wider Shade of DoH DeNOG 11 2019 (en)
9.4 by Carsten Strotmann
- The End of DNS as we know it … EuroBSDCon 2018 (en)
- Huch, mein DNS ist verschwunden … FrOScon 2018 (de)
- DNS Sicherheit IT-Defense 2019 (de)
- Overview of the DNS Privacy Software landscape RIPE 78 (en)
- Unwind, a Validating DNS Recursive Nameserver RIPE 78 (en)
- DoH or Don't (Slides) and Video recording CCCamp 2019 (en)
- Encrypted DNS, episode II DDI User Group Germany July 2020 (en)
- Encrypted DNS, episode II Men & Mice Webinar, August 2020 (en)