DNS Query Encoding in DNS-over-HTTPS

Understanding why DNS queries must be base64url-encoded in DoH GET requests

Why DNS Queries Must Be Encoded

When using DNS-over-HTTPS with GET requests, DNS queries must be encoded using base64url encoding. This requirement exists for several important technical reasons:

1. Binary Data in URLs

DNS queries are binary data structures that contain information about the domain name being queried, the type of record requested (A, AAAA, MX, etc.), and other metadata. URLs, however, are text-based and have restrictions on what characters they can contain.

2. URL Safety

Standard Base64 encoding uses characters like '+' and '/' which have special meanings in URLs:

Base64url encoding solves this by:

3. RFC 8484 Compliance

The DNS-over-HTTPS specification (RFC 8484) mandates the use of base64url encoding for DNS queries transmitted via GET requests to ensure interoperability between different DoH implementations.

Example Encoding Process

  1. A DNS query for "example.com" is represented as binary data
  2. This binary data is encoded using base64url encoding
  3. The resulting string is safe to use in a URL query parameter
Binary DNS Query → Base64url Encoding → URL Parameter [0x12, 0x34, ...] → "q80BAAAB..." → ?dns=q80BAAAB...

When Encoding is Required

Tools for Encoding

Many programming languages provide built-in functions for base64url encoding:

This encoding requirement ensures that DNS queries can be safely transmitted over HTTPS while maintaining compatibility with web standards and the DoH protocol specification.

Ad-Blocking Support

This DoH proxy includes support for ad-blocking DNS providers. When using this service, DNS queries are automatically distributed across multiple providers including specialized ad-blocking services like AdGuard, ControlD, Mullvad, and NextDNS. These providers block ads, trackers, and malicious domains at the DNS level, providing an additional layer of privacy and security.

← Back to Main Page