The DNS HTTPS record type is the modern, efficient way to tell clients that your origin server supports HTTP/3, and it does so by leveraging the existing DNS infrastructure without needing to expose a separate UDP port for discovery.
Let’s see this in action. Imagine a client wants to fetch https://example.com.
First, it’ll query DNS for _https.example.com with type HTTPS.
dig _https.example.com. IN HTTPS +short
If your server is configured correctly, the response will look something like this:
1337,443,1,a,abcdef.example.com.
This isn’t just a random string; it’s a structured message. 1337 is the ALPN (Application-Layer Protocol Negotiation) token for HTTP/3. 443 is the standard TLS port. 1 indicates the presence of a alt-svc (alternative service) record. a signifies that the service is available over IPv6. abcdef.example.com. is the host from which the client can actually fetch the content, potentially different from example.com itself for caching or load balancing purposes.
The client then uses this information. It knows it can try to establish a QUIC connection (the transport protocol for HTTP/3) to abcdef.example.com on port 443, using h3 (the ALPN identifier for HTTP/3) for negotiation. If that connection succeeds, the client will then fetch https://example.com over HTTP/3.
This record type is a DNS-level mechanism to advertise alternative services, specifically designed to be more efficient than the older SVCB (Service Binding) or NSEC (Next Secure) records for this purpose. The HTTPS record is essentially a specialized SVCB record. The key innovation here is the use of a dedicated DNS record type that can carry structured information about the alternative service directly, rather than relying on HTTP headers or separate TXT records. The HTTPS record is queried for a specific subdomain like _https.<domain>, allowing clients to discover HTTP/3 capabilities without even needing to establish an initial HTTP connection. This pre-connection discovery is crucial for the performance benefits of HTTP/3, as it allows clients to bypass traditional TCP handshake delays.
The standard specifies that the HTTPS record is queried for a subdomain formed by prepending _https. to the domain name. The record itself contains a comma-separated list of parameters. The first parameter is a mandatory priority. Lower numbers indicate higher priority. The second parameter is the port number. Following these are optional parameters, indicated by a single character: a for IPv6 support, A for IPv4 support, d for DNS-delegated service, n for no-DOH (DNS over HTTPS) support, and s for the service name. The most important part for HTTP/3 is the ALPN token, which is typically h3 or h3-29 (for an older draft). This token is part of the alpn parameter within the SVCB/HTTPS record.
The true power of the HTTPS record lies in its ability to decouple service discovery from the actual HTTP request. A client can query for _https.example.com and receive information about the best way to connect to example.com before it even attempts to resolve example.com itself. This means if example.com has multiple IP addresses or is served by different edge nodes, the HTTPS record can point to a specific, optimized endpoint for HTTP/3. This is critical for content delivery networks (CDNs) and large-scale deployments where the origin server might not be a single machine but a distributed system. The alpn parameter within the SVCB format (which HTTPS is a specialization of) explicitly lists the application protocols supported. For HTTP/3, this would be h3 or potentially version-specific identifiers like h3-29.
The next step in optimizing client connections is understanding how the ech (Encrypted Client Hello) extension works with DNS to provide enhanced privacy for TLS handshakes.