DNSSEC vs DNS over HTTPS (DoH)
Understand the difference between DNSSEC and DNS over HTTPS. DNSSEC proves DNS records are authentic; DoH encrypts queries for privacy. Learn why you need both.
DNSSEC and DNS over HTTPS (DoH) are both DNS security technologies, but they solve fundamentally different problems. DNSSEC proves that DNS answers have not been tampered with. DoH hides DNS queries from network observers. They are complementary, not competing.
TL;DR
- DNSSEC adds cryptographic signatures to DNS records. Resolvers can verify that an answer is authentic and unmodified ā but the query and response are still visible on the wire.
- DoH wraps DNS queries inside an encrypted HTTPS connection between the client and the resolver. Eavesdroppers cannot see which domains you look up ā but DoH says nothing about whether the answer is genuine.
- Using both together gives you authenticated answers delivered over an encrypted channel.
They Solve Different Problems
| DNSSEC | DNS over HTTPS | |
|---|---|---|
| Protects against | Record tampering, cache poisoning | Eavesdropping, query logging by ISPs |
| Scope | End-to-end: from authoritative server to validating resolver | Hop-by-hop: from client to resolver only |
| Mechanism | Cryptographic signatures (RRSIG, DNSKEY, DS) | TLS encryption over HTTPS |
| Who deploys it | Zone owner (signs) + resolver (validates) | Client (sends DoH) + resolver (accepts DoH) |
| Visible to network | Yes ā queries and answers are plaintext | No ā encrypted inside HTTPS |
| Proves authenticity | Yes | No |
| Hides queries | No | Yes (from local network only) |
How DNSSEC Works
DNSSEC adds a chain of trust from the DNS root zone down to your domain. Each level cryptographically signs the next:
- The root zone publishes its own DNSKEY and signs the DS records for each TLD.
- The TLD (e.g.
.eu) publishes its DNSKEY and signs DS records for domains under it. - Your zone (e.g.
dnscale.eu) publishes its DNSKEY and signs every record set with RRSIG signatures.
A validating resolver walks this chain from the root to your domain. If any signature fails, the response is rejected. This prevents:
- Cache poisoning ā an attacker cannot inject forged records because they cannot produce valid signatures.
- Man-in-the-middle modification ā even if an attacker intercepts the response, altering it breaks the cryptographic signature.
What DNSSEC does not do
DNSSEC does not encrypt anything. Queries and responses travel in plaintext. An observer on the network can see every domain you look up and every answer you receive. DNSSEC only guarantees that the answer is the one the zone owner published.
How DNS over HTTPS Works
DoH wraps standard DNS queries inside an HTTPS connection (port 443) between the client ā typically a browser or OS stub resolver ā and a DoH-capable recursive resolver.
- The client opens a TLS-encrypted HTTPS connection to the resolver (e.g.
https://dns.example.com/dns-query). - DNS queries are sent as HTTP requests (GET or POST) with the
application/dns-messagecontent type. - The resolver decrypts the query, resolves it normally (contacting authoritative servers over standard DNS), and returns the answer over the same encrypted channel.
Because the connection uses TLS, anyone between the client and the resolver ā ISPs, Wi-Fi operators, corporate proxies ā sees only encrypted HTTPS traffic to the resolver's IP address. They cannot see which domains are being queried.
What DoH does not do
DoH only encrypts the first hop ā from the client to the resolver. The resolver still contacts authoritative nameservers over standard, unencrypted DNS. DoH also does not verify that answers are genuine. If the resolver itself is compromised, or if it receives a poisoned answer from an upstream server, DoH will dutifully deliver that forged answer over a perfectly encrypted channel.
Why You Need Both
| Threat | DNSSEC alone | DoH alone | Both |
|---|---|---|---|
| Cache poisoning / forged answers | Protected | Vulnerable | Protected |
| ISP logging your queries | Visible | Hidden | Hidden |
| On-path attacker modifying answers | Protected | Vulnerable | Protected |
| Wi-Fi eavesdropping on queries | Visible | Hidden | Hidden |
| Compromised resolver returning bad data | Protected (if resolver validates) | Vulnerable | Protected |
Running DNSSEC-signed zones and using a DoH-capable validating resolver gives you defence in depth: authenticity from DNSSEC, privacy from DoH.
DNSSEC with DNScale
DNScale supports DNSSEC out of the box. You can enable signing and manage keys from the dashboard or via the API:
- Open your zone in the DNScale dashboard and click the Shield icon.
- Click Generate Key Pair to create a signing key (CSK with ECDSAP256SHA256).
- Copy the DS records and add them at your domain registrar.
- Once the DS records propagate, your zone is DNSSEC-protected.
For detailed key management, including rollovers, see the DNSSEC Key Management guide.
Key Takeaways
- DNSSEC and DoH are not interchangeable ā they protect against different threats.
- DNSSEC proves records are authentic via a cryptographic chain of trust. It does not encrypt.
- DoH encrypts queries between the client and resolver. It does not verify authenticity.
- For comprehensive DNS security, deploy DNSSEC on your zones and use a DoH-capable validating resolver.
Further Reading
- DNSSEC Key Management ā Key generation, DS records, and safe rollovers
- DNS Attacks and Threats ā Common DNS attack vectors and mitigations
- What Is a TLSA Record ā DANE/TLSA for certificate pinning via DNS
- SSL and TLS Certificates Explained ā How TLS secures connections
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free