All Products
Search

This Product

    Alibaba Cloud DNS:DNS over HTTPS (DoH)

    Document Center

    Alibaba Cloud DNS:DNS over HTTPS (DoH)

    Last Updated:Nov 28, 2025

    HTTPDNS provides DNS resolution over a TLS-encrypted HTTP connection as specified in RFC 8484. This is suitable for browser-based access scenarios.

    Obtaining DoT/DoH endpoints

    1. Go to Alibaba Cloud DNS - HTTPDNS.

    2. On the Access Configuration tab, select Method 3: DoT/DoH-based access.

    3. Currently, DoT/DoH supports two integration methods: short address integration and custom encrypted address integration.

      Important

      For enhanced security, we suggest you Use Encrypted Address.

    4. Click Add an encrypted URL, enter the custom part in the dialog box to get the custom integration address.image

    5. Finally, turn on the enable status switch for the encrypted address.

      Warning

      • If you decide to stop using DoH to access HTTPDNS, turn off the switch.

      • Use the service suspension feature with caution. If you suspend the service, your account is downgraded to a free user. This means billing stops, console reports are no longer displayed, and other features are disabled. Your HTTPDNS service will no longer be guaranteed by a Service-level agreement (SLA). The service will also be subject to throttling and DNS query rejections.

      • The service can be restarted after suspension. After restart, the service will restore its original configuration and billing will resume.

    Regular user DoH service usage

    Assuming the user's DoH endpoint is configured as: https://5***4-2h*****ynx3tls.alidns.com/dns-query.

    This topic uses Chrome as an example to demonstrate how to configure DoH.

    1. Open Chrome browser and click Settings from the Chrome menu bar.

      1599813826622-5e23172a-3595-42ee-b1be-8359ad781892

    2. Enter "DNS" in the search box. In the search results below, click the expand arrow to the right of [Security].

      1599813913378-46376364-4ff3-40d1-8da0-f0909f4ba1c6

    3. Scroll down to the bottom of the page. In the [Advanced] options, enable the "Use secure DNS" feature, and enter https://5***4-2h*****ynx3tls.alidns.com/dns-query in the [Use]-[Custom] box to complete the configuration.

    Developer DoH service usage

    For developers, you need to generate DoH HTTP requests according to the standard requirements in RFC8484 and send them to the DoH endpoint.

    DoH can use both GET and POST methods. When using the POST method, the DNS query message is included in the HTTP request message body. When using the GET method, the only variable "dns" is assigned the base64url-encoded DNS request content.

    Developer examples (with Python and Golang code samples)

    For example, to initiate a DoH query using the GET method, first process the DNS binary message through base64url to obtain the DNS parameter, generate the complete DoH HTTP URL, then initiate an HTTP request to obtain the DNS response message.

    • Below is a Python code sample demonstrating how developers can use DoH to query the domain alibaba.com.

      import dns.message
import requests
import base64
import json

doh_url = "https://5***4-2h*****ynx3tls.alidns.com/dns-query"
domain = "alibaba.com"
rr = "A"
result = []

message = dns.message.make_query(domain, rr)
dns_req = base64.urlsafe_b64encode(message.to_wire()).decode("UTF8").rstrip("=")
r = requests.get(doh_url + "?dns=" + dns_req,
                 headers={"Content-type": "application/dns-message"})
for answer in dns.message.from_wire(r.content).answer:
    dns = answer.to_text().split()
    result.append({"Query": dns[0], "TTL": dns[1], "RR": dns[3], "Answer": dns[4]})
    print(json.dumps(result))

      Sample result:

      $ python test_doh.py
[{"Answer": "106.11.XXX.XXX", "Query": "alibaba.com.", "RR": "A", "TTL": "133"}]

    • Below is a Golang code sample demonstrating how developers can use DoH to query the domain alibaba.com.

      package main

import (
        "encoding/base64"
        "fmt"
        "github.com/miekg/dns"
        "io/ioutil"
        "net/http"
        "os"
)

func main() {
       query := dns.Msg{}
       query.SetQuestion("www.taobao.com.", dns.TypeA)
       msg, _ := query.Pack()
       b64 := base64.RawURLEncoding.EncodeToString(msg)
       resp, err := http.Get("https://5***4-2h*****ynx3tls.alidns.com/dns-query?dns=" + b64)
       if err != nil {
            fmt.Printf("Send query error, err:%v\n", err)
            os.Exit(1)
       }
       defer resp.Body.Close()
       bodyBytes, _ := ioutil.ReadAll(resp.Body)
       response := dns.Msg{}
       response.Unpack(bodyBytes)
       fmt.Printf("Dns answer is :%v\n", response.String())
}

      Sample result:

      Sent Get query https://dns.alidns.com/dns-query?dns=xzEBAAABAAAAAAAAA3d3dwZ0YW9iYW8DY29tAAABAAE
Dns answer is :;; opcode: QUERY, status: NOERROR, id: 5***3
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;www.taobao.com.        IN       A

;; ANSWER SECTION:
www.taobao.com. 15      IN      CNAME   www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com.     15      IN      A       221.229.XXX.XXX
www.taobao.com.danuoyi.tbcache.com.     15      IN      A       221.229.XXX.XXX

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 4096