Quad9 DOH HTTP/1.1 Retirement, December 15, 2025
quad9.net75 points by pickledoyster 7 hours ago
75 points by pickledoyster 7 hours ago
I think code to implement http/1.1 in whatever software stack they use would have been shorter than the blog post...
I think you’re severely underestimating the complexity of http/1.1. It’s definitely much simpler than http/2, but it’s a lot of code that needs to be maintained.
To write the code from scratch, sure.
But I'm thinking a few lines of nginx config to proxy http 1.1 to 2
probably not - it can be quite poorly defined in places and the edge cases can be very fiddly. by pushing for http/2 it encourages more users to pick it up imo
Mikrotik DoH user here. While I don't use Quad9, I do use 1.1.1.1. I hope they don't follow suit before Mikrotik get a chance to add HTTP/2 support (if ever).
You should look into dnscrypt[0][1]. Easy and lots of options. jedisct1, cofyc, and many others have done a great job over the last decade here.
I never understood DOH over DOT. It makes sense if you want to hide DNS lookups so that people cannot block the DNS queries to ad and other scam networks.
Thanks to the ossification of the internet, every new protocol or protocol extension needs to be over HTTPS.
DoT works fine, it's supported on all kinds of operating systems even if they don't advertise it, but DoH arrived in browsers. Some shitty ISPs and terrible middleboxes also block DoT (though IMO that should be a reason to switch ISPs, not a reason to stop using DoT).
On the hosting side, there are more options for HTTP proxies/firewalls/multiplexers/terminators than there are for DNS, so it's easier to build infra around DoH. If you're just a small server, you won't need more than an nginx stream proxy, but if you're doing botnet detection and redundant failovers, you may need something more complex.
My ISP (my area is serviced by 1 more but they offer lower speeds) blocks the DoT port. They cannot block 443. If they start blocking popular DoH domains, I can use any of the mirrors or run my own over https://wongogue.in/catpics/
Anything that doesn't provide raw access at the internet protocol layer (other than RFP to prevent spoofing) shouldn't qualify as internet provider.
DOH prevents malicious network providers from blocking DOT traffic to enforce their own DNS services for “efficiency” reasons.
Most ISPs just want to sell your data and with encrypted client hello and DOH they’re losing visibility into what you’re doing.
DOT picked an odd port, DOH uses 443. Otherwise they both have the benefits of TLS.
It's both. In oppressive countries (Iran, China, Russia) where all traffic is filtered, DOH is supposed to help keep things concealed, too.
HTTP/1.1 is still heavily used in embedded system.
But is DoH? If your library is too old to support http2, what are the chances you've upgraded the DNS resolver to a DoH resolver?
Luckily it's pretty easy to run your own DoH server if you're deploying devices in the field, and there are alternatives to Quad9.
Its not about age, its about complexity. HTTP/1.1 client is trivial to implement.
NextDNS has a DOH3 (as in, http/3) endpoint but afaict it doesn't seem to always use http/3.