Security Experts:

Google Makes DNS Over HTTPS Generally Available

Google this week announced the general availability of its standard DNS over HTTPS (DoH) service, which includes full RFC 8484 support.

The DoH protocol is meant for sending DNS queries and getting DNS responses over HTTP using TLS security for integrity and confidentiality, as detailed in RFC 8484

Google has launched its DoH service in 2016, as an experiment, but is now confident to roll it out generally with full RFC 8484 support at a new URL path, as well as with support for the JSON API. The service builds on Google Public DNS, which was launched in 2009.

“Now our users can resolve DNS using DoH at the domain with the same anycast addresses (like as regular DNS service, with lower latency from our edge PoPs throughout the world,” Google reveals

The new endpoints, the search giant says, are (RFC 8484 – GET and POST) and (JSON API – GET). 

“We are deprecating internet-draft DoH support on the /experimental URL path and DoH service from, and will turn down support for them in a few months,” the Internet company reveals. 

Google Public DNS, the search giant explains, is meant to provide fast, private, and secure DNS resolution through both DoH and DNS over TLS (DoT). Thus, the JSON API will be supported until there is a comparable standard for webapp-friendly DoH.

Developers looking to leverage Google’s DoH service should configure their applications to use the new DoH endpoints, as well as to properly handle HTTP 4xx error and 3xx redirection status codes.

Developers should set apps to use instead of and should switch to the new /dns-query URL path and confirm full RFC 8484 compliance. Those using the JSON API can employ two new GET parameters for DNS/DoH proxies or DNSSEC-aware applications.

In 30 days, Google will turn down the /experimental API and HTTP requests for it will get an HTTP redirect to an equivalent URI. Thus, developers should ensure DoH applications handle HTTP redirects by retrying at the URI specified in the Location header.

The will be taken down in three stages, Google also explains.

Within 45 days, the domain name will be updated to return and other Google Public DNS anycast addresses, but will continue to return DNS responses to queries sent to former addresses of 

In 90 days, the company will return HTTP redirects to for queries sent to former addresses of Finally, in 12 months, HTTP redirects will be sent to for all queries sent to the anycast addresses using the domain.

The Internet giant says it will post timelines for redirections on the public‑dns‑announce forum and on the DoH migration page. The company also published DoH documentation containing required technical details. 

Related: Mozilla Testing DNS-over-HTTPS in Firefox

Related: Cloudflare Launches Free Secure DNS Service

view counter