dnsdoh.art now supports Discovery of Designated Resolvers (DDR, RFC 9462), including the strict verified mode used by Windows 11 and Apple platforms.

What it does. A device that has only the resolver's IP address, for example handed out by a router over DHCP, can now find the encrypted endpoints without any configuration. It sends one SVCB query for _dns.resolver.arpa to the resolver and receives the designations: our usual DNS over HTTPS endpoint /dns-query (HTTP/2 and HTTP/3) and DNS over QUIC on port 853.

Verified, not just discovered. The discovery query itself travels in plain DNS, so strict clients only accept a designation after a proof: the TLS certificate of the designated server must cover both its name and the resolver IP the device started from. For this check the DoH designation is published under a dedicated discovery name, ddr.dnsdoh.art - the same /dns-query endpoint, behind a certificate carrying exactly that pair: the name and IP:194.180.189.33. We confirmed the result on Windows 11: set the DNS server to 194.180.189.33 and the system discovers, verifies, and fills in the DoH template by itself. iOS 16 and macOS 13 and later perform the same discovery.

Pinned in the zone as well. Like the four main transports, the discovery endpoint's certificate key is pinned in DNS with DANE TLSA records in our DNSSEC-signed zone. The certificate is a short-lived Let's Encrypt IP-address certificate (about six and a half days, the only form IP certificates are issued in) with fully automated renewal and monitoring.

How discovery works, including what DDR and DNR are and what the verification step checks, is covered in the guide How Devices Discover Encrypted DNS. The setup guide now notes which platforms configure themselves.