DOH (DNS Over Https) is a privacy feature in Windows 11 that allows users to evade censorship and Internet activity by doing encrypted DNS lookups. Your computer must first query a DNS server for the IP address associated with the hostname before connecting to a website or other host on the Internet.
The method aims to improve user privacy and security by avoiding eavesdropping and DNS data modification by MITM attacks by encrypting data between the DoH client and the DoH-based DNS resolver using the HTTPS protocol.
The IETF published RFC 8484 as a proposed standard for DoH. It leverages HTTP/2 and HTTPS, and it accepts wire format DNS response data in an HTTPS payload with the MIME type application/dns-message, as returned in existing UDP responses. If HTTP/2 is implemented, the server may also communicate items that it predicts the client will find valuable in advance via HTTP/2 server push.
DoH will help users to avoid censorship, reduce spoofing attacks, and increase privacy because their DNS requests will be more difficult to track. Microsoft has re-enabled the DoH capability in Windows 11
It would be preferable if the DoH server for a configured DNS server could be identified automatically, according to Microsoft, however, this would pose a privacy concern.
This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way to avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates. Using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which Microsoft has submitted to the IETF ADD WG, Microsoft aims to learn about new DoH server configurations from a DNS server in the future.
Google, Firefox, CloudFlare already established DOH to an extent.