What Is the DNS HTTPS Record (Type 65) and How Does It Work?

The HTTPS record (DNS type 65, standardised in RFC 9460) is a relatively new DNS record type that lets a server advertise connection parameters — supported protocols, ECH configuration, IP address hints — directly in DNS, before the browser opens a TCP connection. Chrome, Firefox, and Safari all query it by default.

Key takeaways

  • The HTTPS record is DNS type 65. It replaces the older A/AAAA + Alt-Svc workflow for protocol discovery.
  • It can advertise ALPN protocols (h2, h3), ECH public keys, and IPv4/IPv6 address hints.
  • Cloudflare adds it automatically for all proxied domains — most Cloudflare sites already have one.
  • Without an HTTPS record, browsers still work fine; they just discover h2/h3 via ALPN and Alt-Svc after connecting.
  • Our checker reports whether your domain has an HTTPS record and what ALPN and ECH it advertises.

What problem does it solve?

Traditionally, a browser has to connect to a server before it knows which protocol to use. HTTP/2 is negotiated during the TLS handshake via ALPN. HTTP/3 is discovered from an Alt-Svc header in the first HTTP/1.1 or HTTP/2 response — meaning the first request always goes over an older protocol.

The HTTPS record moves this information into DNS. The browser queries it alongside the A/AAAA record, so it already knows the server speaks h3 before opening any connection. On a first visit, this can eliminate one full round-trip.

What's inside an HTTPS record?

An HTTPS record has a priority, a target hostname (or . for the same domain), and a set of service parameters. Common parameters:

ParameterMeaning
alpnSupported ALPN protocols, e.g. h2,h3
echEncrypted Client Hello config (base64). Hides the SNI from passive observers.
ipv4hint / ipv6hintIP address hints so the browser can start a connection before AAAA resolves.
portOverride the default port (rarely needed for public HTTPS).

A typical Cloudflare record looks like: 1 . alpn="h2,h3" ipv4hint=... ipv6hint=...

ECH: the privacy angle

Encrypted Client Hello (ECH) is the most significant parameter in the HTTPS record. Normally, the TLS ClientHello contains the SNI (Server Name Indication) in plaintext — so anyone watching the network can see which hostname you're connecting to, even over HTTPS.

ECH encrypts the ClientHello using a public key published in the HTTPS record. The browser fetches the record, gets the public key, and encrypts the real SNI before the TLS handshake. This hides the destination hostname from passive surveillance. It requires DNS-over-HTTPS or DNS-over-TLS so the DNS query itself is also encrypted.

Cloudflare enables ECH for proxied domains. Self-hosted servers need nginx/OpenSSL with ECH support (still experimental in most distributions as of mid-2026).

Do you need to add one?

If you're on Cloudflare: Already done. Cloudflare automatically publishes an HTTPS record with ALPN h2/h3, ECH, and IP hints for all proxied hostnames. You don't need to do anything.

If you run your own DNS (Bind, PowerDNS, Cloudflare DNS-only): You can add a type 65 record manually. In most DNS UIs it appears as record type HTTPS. The minimal useful record:

example.com.  IN  HTTPS  1 . alpn="h2,h3"

The 1 is the priority, the . means the same hostname. Only add protocols your server actually supports — if you only serve h2, use alpn="h2". Browsers will attempt h3 if you advertise it, and fall back to h2 on failure, but advertising a protocol you don't support wastes a round-trip.

HTTPS record vs Alt-Svc header

Both advertise HTTP/3, but at different points in the connection lifecycle. The Alt-Svc header arrives in the first HTTP response — so a returning visitor (with a cached Alt-Svc) connects over h3 immediately, but a first-time visitor always makes the first request over h1.1 or h2.

The HTTPS record is resolved before any TCP connection. On first visit, the browser can use h3 directly — no preliminary h2 request required. The two mechanisms are complementary: Alt-Svc works today for all browsers; the HTTPS record adds speed on first visit for browsers that query it (Chrome, Firefox, Safari since 2023–2024).

Check the HTTPS record on your domain

Our HTTPS checker now includes an HTTPS record check. Run a free report and look for the HTTPS record row in the DNS Security section — it shows whether the record is present, what ALPN protocols are advertised, and whether ECH is configured.

Check your domain