DNS Over HTTPS DoH and Its Effect on Propagation
- by Staff
DNS over HTTPS, commonly referred to as DoH, is a protocol designed to enhance user privacy and security by encrypting DNS queries and transmitting them over the HTTPS protocol. Traditionally, DNS queries are sent in plaintext over UDP or TCP, which means that any intermediary—such as an ISP, public Wi-Fi operator, or malicious actor on the same network—can see which domains a user is trying to access. DoH counters this by wrapping DNS requests within HTTPS, making them indistinguishable from standard web traffic and significantly more difficult to intercept or manipulate. While DoH provides clear benefits in terms of confidentiality and integrity, its implementation introduces nuanced implications for DNS propagation, especially regarding how changes to DNS records are recognized and handled by clients and recursive resolvers.
At its core, DNS propagation refers to the time it takes for updates to DNS records to be reflected across the global network of DNS resolvers. When an administrator updates a record—for example, pointing a domain to a new IP address via an A record change—the new information is immediately available from the authoritative DNS server. However, recursive resolvers around the world cache DNS responses based on the Time to Live (TTL) value associated with each record. Until this TTL expires, those resolvers continue to serve the cached (and possibly outdated) information, even if the record has changed. This delayed consistency is what defines DNS propagation.
DoH does not inherently alter how DNS TTLs function or how authoritative servers handle record updates, but it changes how and where DNS queries are resolved. When users rely on DoH-enabled clients—such as browsers like Firefox or Chrome configured to use providers like Cloudflare (1.1.1.1) or Google Public DNS (8.8.8.8)—their DNS requests bypass the system’s configured resolver, including the one provided by the local ISP. Instead, queries are sent directly to the DoH resolver chosen by the application. As a result, the DNS propagation experience is now influenced by the caching behavior and TTL compliance of these remote DoH resolvers, rather than the user’s ISP or corporate network DNS server.
This architectural shift has a subtle but important impact on how quickly DNS changes propagate to end-users. If a domain’s DNS records are updated, and the DoH resolver used by the client has a cached version of the old data, that outdated information will continue to be served until the TTL expires—even if the user flushes their local DNS cache. The propagation delay is thus governed not by the user’s immediate network environment but by the caching policy and refresh cycle of the remote DoH resolver. This creates a new layer of abstraction in DNS resolution, which can complicate propagation diagnostics and delay visibility of updates to users relying on DoH.
For example, a website undergoing a migration may update its DNS records to point to a new hosting provider. Users relying on traditional DNS resolvers might see the change based on their local ISP’s cache behavior. But those using browsers with built-in DoH support might continue to resolve the domain to the old IP address, depending on whether the DoH resolver has refreshed its cache. This inconsistency can be more difficult to diagnose because the user’s system-level DNS tools—such as nslookup or dig—do not interact with the DoH path and may show different results from what the browser is using internally.
Another effect of DoH on propagation arises from the centralization of DNS resolution. In a typical non-DoH scenario, users are scattered across countless resolvers—some operated by ISPs, others by enterprises or universities. Each of these resolvers has its own caching behavior, providing a diverse and distributed propagation footprint. With DoH, especially when dominated by a few major providers like Cloudflare, Google, and NextDNS, a large percentage of users may depend on a relatively small number of resolvers. This centralization can make propagation delays more uniform and predictable within the DoH ecosystem but also means that any delay at the DoH provider level affects a much larger segment of users simultaneously.
Administrators making DNS changes must therefore consider the caching policies of popular DoH providers. Some DoH resolvers may honor low TTLs strictly, while others may enforce minimum cache durations to reduce load and improve performance. This means that even if a record is set with a TTL of 60 seconds, a DoH resolver might still serve it for several minutes longer. This behavior is typically opaque to the domain owner, as few DoH providers offer real-time cache purge capabilities or visibility into cache contents. During critical DNS updates, such as infrastructure migrations, service failovers, or security responses, this lack of control can present significant challenges in managing user access and experience.
Moreover, because DoH queries are encrypted and often tied to browser-level settings, traditional DNS propagation check tools may not reflect the user’s real-world experience. A DNS propagation checker querying resolvers around the world may show that a change has propagated, while users relying on DoH resolvers still see outdated information. To properly validate changes under DoH, administrators need to test using the same DoH resolver endpoints or browser configurations their users are likely to use. This may require specialized tools or browser-based testing that simulates the actual client environment.
There is also a privacy consideration intertwined with propagation. Since DoH encrypts DNS traffic, it prevents intermediaries from observing DNS queries and responses. This can obscure propagation issues from network-level monitoring tools that might otherwise be used to detect when DNS changes take effect across a corporate network. In environments that rely on split-horizon DNS—where internal and external users are served different DNS responses—DoH can bypass the internal resolver entirely, exposing internal-only resources or preventing access to location-specific services. While this is more of an operational concern than a propagation delay per se, it illustrates the broader impact of DoH on DNS behavior and change visibility.
In summary, DNS over HTTPS introduces a paradigm shift in how DNS resolution is performed, emphasizing user privacy and integrity but adding complexity to the already nuanced world of DNS propagation. While DoH does not directly modify TTLs or the propagation process itself, it shifts the point of resolution away from local resolvers to centralized, encrypted endpoints. This change affects how and when users see updates to DNS records, who controls caching behavior, and how propagation issues are diagnosed and resolved. For administrators and infrastructure managers, understanding the implications of DoH is crucial to ensuring that DNS updates reach users in a timely and predictable manner, particularly as encrypted DNS becomes more widely adopted in modern browsers and operating systems.
DNS over HTTPS, commonly referred to as DoH, is a protocol designed to enhance user privacy and security by encrypting DNS queries and transmitting them over the HTTPS protocol. Traditionally, DNS queries are sent in plaintext over UDP or TCP, which means that any intermediary—such as an ISP, public Wi-Fi operator, or malicious actor on…