Communication Flows Between Browser and Web Server (via Cloudflare) with DoH
Report Generated: November 17, 2025
This report details the DNS lookup using DoH (DNS over HTTPS) to Cloudflare's servers, TCP and TLS handshakes, and HTTPS traffic between
the browser, network hops, Cloudflare, and the origin server. It includes notes on visibility of metadata and payloads. Traffic between Cloudflare and Origin is encrypted (HTTPS). DoH encrypts DNS queries, hiding the domain from local router and ISP.
1. DNS Resolution Phase via DoH
sequenceDiagram
participant B as "Browser (Laptop)"
participant R as "Local Router (WiFi)"
participant I as "ISP Gateway"
participant BB as "Internet Backbone"
participant C as "Cloudflare Edge/DoH"
participant S as "Origin Server"
Note over B,S: DNS resolution phase via DoH (HTTPS encrypted)
Note over B,S: First, TCP three-way handshake to Cloudflare DoH (plaintext metadata)
B->>R: TCP SYN to Cloudflare DoH IP (e.g., 1.1.1.1) port 443
Note over R: Router sees client and Cloudflare DoH IP and ports
R->>I: Forward SYN
Note over I: ISP sees client and Cloudflare DoH IP and ports
I->>BB: Forward SYN
Note over BB: Transit routers see IP addresses and ports
BB->>C: Forward SYN
Note over C: Cloudflare sees client IP and port
C->>BB: TCP SYN ACK
Note over BB: Transit routers see handshake metadata
BB->>I: Forward SYN ACK
Note over I: ISP sees handshake metadata
I->>R: Forward SYN ACK
Note over R: Router sees handshake metadata
R->>B: SYN ACK
B->>R: TCP ACK
Note over R: Router sees ACK metadata
R->>I: Forward ACK
Note over I: ISP sees ACK metadata
I->>BB: Forward ACK
Note over BB: Transit routers see ACK metadata
BB->>C: Forward ACK
Note over C: Cloudflare sees ACK
Note over B,S: TLS handshake for DoH (partly visible)
B->>R: TLS ClientHello with SNI (e.g., cloudflare-dns.com)
Note over R: Router sees SNI (DoH domain) and addressing
R->>I: Forward ClientHello
Note over I: ISP sees SNI (DoH domain) and addressing
I->>BB: Forward ClientHello
Note over BB: Transit routers see SNI (DoH domain) and addressing
BB->>C: Forward ClientHello
Note over C: Cloudflare sees full ClientHello and SNI
C->>BB: TLS ServerHello certificate key exchange
Note over BB: Transit routers see server handshake metadata
BB->>I: Forward ServerHello and certificate
Note over I: ISP sees server handshake metadata
I->>R: Forward ServerHello and certificate
Note over R: Router sees server handshake metadata
R->>B: ServerHello certificate key exchange
B->>R: Client key exchange change cipher spec finished
Note over R: Router now sees only encrypted TLS records
R->>I: Forward encrypted handshake messages
Note over I: ISP sees encrypted TLS records and metadata
I->>BB: Forward encrypted handshake messages
Note over BB: Transit routers see encrypted TLS records
BB->>C: Forward encrypted handshake messages
C->>BB: TLS change cipher spec finished to client
Note over BB: Transit routers see encrypted records
BB->>I: Forward encrypted records
Note over I: ISP sees encrypted records and metadata
I->>R: Forward encrypted records
Note over R: Router sees encrypted records and metadata
R->>B: Change cipher spec finished
Note over B,S: Encrypted DoH query (HTTPS POST with DNS query)
B->>R: Encrypted HTTPS POST (DNS query: domain to IP)
Note over R: Router sees only IP ports sizes and timing (no domain)
R->>I: Forward encrypted query
Note over I: ISP sees encrypted payload and metadata (no domain)
I->>BB: Forward encrypted query
Note over BB: Transit routers see encrypted payload and metadata
BB->>C: Forward encrypted query
Note over C: Cloudflare decrypts, sees DNS query (domain)
C->>BB: Encrypted HTTPS response (Cloudflare IP for domain)
Note over BB: Transit routers see encrypted response and metadata
BB->>I: Forward encrypted response
Note over I: ISP sees encrypted response and metadata (no domain/IP)
I->>R: Forward encrypted response
Note over R: Router sees encrypted response and metadata
R->>B: Encrypted response
Note over B,S: DNS domain hidden from router/ISP#59; only metadata visible. Cloudflare sees domain.
2. Main HTTPS Connection Phase
sequenceDiagram
participant B as "Browser (Laptop)"
participant R as "Local Router (WiFi)"
participant I as "ISP Gateway"
participant BB as "Internet Backbone"
participant C as "Cloudflare Edge"
participant S as "Origin Server"
Note over B,S: Proceed with main connection (TCP three-way handshake plaintext)
B->>R: TCP SYN to Cloudflare IP 443
Note over R: Router sees client and Cloudflare IP and ports
R->>I: Forward SYN
Note over I: ISP sees client and Cloudflare IP and ports
I->>BB: Forward SYN
Note over BB: Transit routers see IP addresses and ports
BB->>C: Forward SYN
Note over C: Cloudflare sees client IP and port
C->>BB: TCP SYN ACK
Note over BB: Transit routers see handshake metadata
BB->>I: Forward SYN ACK
Note over I: ISP sees handshake metadata
I->>R: Forward SYN ACK
Note over R: Router sees handshake metadata
R->>B: SYN ACK
B->>R: TCP ACK
Note over R: Router sees ACK metadata
R->>I: Forward ACK
Note over I: ISP sees ACK metadata
I->>BB: Forward ACK
Note over BB: Transit routers see ACK metadata
BB->>C: Forward ACK
Note over C: Cloudflare sees ACK
Note over B,S: Only metadata exchanged so far no payload
Note over B,S: TLS handshake partly visible
B->>R: TLS ClientHello with SNI domain
Note over R: Router sees SNI domain and addressing
R->>I: Forward ClientHello
Note over I: ISP sees SNI domain and addressing
I->>BB: Forward ClientHello
Note over BB: Transit routers see SNI domain and addressing
BB->>C: Forward ClientHello
Note over C: Cloudflare sees full ClientHello and SNI
C->>BB: TLS ServerHello certificate key exchange
Note over BB: Transit routers see server handshake metadata
BB->>I: Forward ServerHello and certificate
Note over I: ISP sees server handshake metadata
I->>R: Forward ServerHello and certificate
Note over R: Router sees server handshake metadata
R->>B: ServerHello certificate key exchange
B->>R: Client key exchange change cipher spec finished
Note over R: Router now sees only encrypted TLS records
R->>I: Forward encrypted handshake messages
Note over I: ISP sees encrypted TLS records and metadata
I->>BB: Forward encrypted handshake messages
Note over BB: Transit routers see encrypted TLS records
BB->>C: Forward encrypted handshake messages
C->>BB: TLS change cipher spec finished to client
Note over BB: Transit routers see encrypted records
BB->>I: Forward encrypted records
Note over I: ISP sees encrypted records and metadata
I->>R: Forward encrypted records
Note over R: Router sees encrypted records and metadata
R->>B: Change cipher spec finished
Note over B,S: After handshake payload will be encrypted on the wire
Note over B,S: HTTPS request and response encrypted
B->>R: Encrypted HTTPS GET request
Note over R: Router sees only IP ports sizes and timing
R->>I: Forward encrypted request
Note over I: ISP sees encrypted payload and metadata
I->>BB: Forward encrypted request
Note over BB: Transit routers see encrypted payload and metadata
BB->>C: Forward encrypted request
Note over C: Cloudflare decrypts sees full HTTP request
Note over C,S: Separate TLS connection to Origin (encrypted)
C->>S: Encrypted HTTPS request to origin
Note over S: Origin decrypts sees full HTTP request payload
S->>C: Encrypted HTTPS response
Note over C: Cloudflare decrypts response, re-encrypts for client
C->>BB: Encrypted HTTPS response to client
Note over BB: Transit routers see encrypted response and metadata
BB->>I: Forward encrypted response
Note over I: ISP sees encrypted response and metadata
I->>R: Forward encrypted response
Note over R: Router sees encrypted response and metadata
R->>B: Encrypted response
Note over B,S: Only browser Cloudflare and origin can see HTTP payload (after decryption)
Key Insights from the Diagram
This sequence diagram effectively breaks down the layered network interactions in a modern web request—starting with DNS resolution via DNS over HTTPS (DoH) to Cloudflare's resolver (1.1.1.1), followed by the primary HTTPS connection to a Cloudflare-proxied origin server. It highlights encryption boundaries and visibility of metadata vs. payloads across network hops. To address potential rendering issues with long diagrams, the flows have been split into two separate Mermaid diagrams above.
1. DNS Resolution Phase (DoH to Cloudflare)
Purpose
Resolves the target domain (e.g., example.com) to an IP without exposing it to local networks or ISPs.
Flow Overview
TCP Handshake: Plaintext SYN/ACK/ACK to Cloudflare's DoH endpoint (IP like 1.1.1.1:443). All hops (router, ISP, backbone) see source/destination IPs, ports, and packet timing/sizes.
TLS Handshake: ClientHello includes SNI ("cloudflare-dns.com"), visible to all hops (revealing DoH usage but not the queried domain). Subsequent key exchange and "finished" messages encrypt the session.
Encrypted Query/Response: Browser sends a POST with the DNS query (e.g., A record for example.com) over HTTPS. Only Cloudflare decrypts and responds with the resolved IP. Router/ISP see only encrypted blobs (sizes/timing).
Privacy Win: DoH hides the target domain from eavesdroppers (e.g., ISP can't log visited sites via DNS). However, SNI during TLS exposes DoH intent.
Visibility Table
Entity
Sees Metadata (IPs, Ports, Timing, Sizes)
Sees SNI (DoH Domain)
Sees DNS Query (Target Domain)
Sees Response (Resolved IP)
Local Router
Yes
Yes
No
No
ISP Gateway
Yes
Yes
No
No
Backbone
Yes
Yes
No
No
Cloudflare
Yes
Yes
Yes
Yes (processes it)
Browser
N/A
N/A
Yes (sends it)
Yes (receives it)
2. Main HTTPS Connection Phase (Browser → Cloudflare → Origin)
Purpose
Fetch the actual web content (e.g., GET /page.html).
Flow Overview
TCP Handshake: Similar to DoH—plaintext to Cloudflare's edge IP:443. Full metadata visible to all hops.
TLS Handshake: ClientHello SNI reveals the target domain (e.g., example.com), visible to router/ISP/backbone. Handshake completes with encryption.
Encrypted Request/Response: Browser sends HTTPS GET (encrypted payload). Cloudflare decrypts, inspects/forwards via a new TLS session to the origin server (encrypted end-to-end). Origin responds; Cloudflare re-encrypts for the browser.
Privacy Notes: Post-handshake, only metadata (no content) leaks. SNI is a common "fingerprint" for domains—tools like Encrypted Client Hello (ECH) in modern browsers mitigate this, but it's not universal yet. Cloudflare acts as a trusted man-in-the-middle, seeing full payloads for caching/security.
Visibility Table
Entity
Sees Metadata
Sees SNI (Target Domain)
Sees HTTP Payload (Request/Response)
Local Router
Yes
Yes
No
ISP Gateway
Yes
Yes
No
Backbone
Yes
Yes
No
Cloudflare
Yes
Yes
Yes (decrypts both sides)
Origin Server
Yes (from CF)
N/A
Yes (from CF)
Browser
N/A
N/A
Yes (sends/receives)
Overall Privacy & Security Implications
What Hides DoH? Primarily the DNS query itself—great against ISP DNS snooping or local network attacks. But it doesn't hide the subsequent connection's SNI, so ISPs still infer visited domains.
Cloudflare's Role: As a CDN/reverse proxy, it terminates TLS from the client and re-encrypts to the origin. This enables features like DDoS protection and caching but centralizes trust (Cloudflare logs queries if enabled).
Active (e.g., MITM): Hard due to TLS cert pinning, but weak CA trust could allow it.
End-to-End: Only browser, Cloudflare, and origin see full HTTP. Use HTTP/3 (QUIC) for even less metadata exposure.
Edge Cases: Assumes IPv4; IPv6 adds more headers. No QUIC here (it's TCP/TLS 1.3). Real-world: Browsers like Firefox/Chrome enable DoH by default in some regions.
Minor Suggestions for the Diagram
Accuracy: Spot-on for TLS 1.3 flows. One nit: During TLS handshake, cert exchange is visible (chain details), but not payloads.
Enhancements: Add a note on ECH (hides SNI) or HTTP/2 multiplexing. Consider a parallel track for the Cloudflare→Origin leg to show its independent TCP/TLS.
Visualization Tip: If you're rendering this in Mermaid Live (mermaid.live), tweak sequenceDiagram styles for better hop alignment—e.g., add autonumberTitle for step numbering. Splitting the diagram as done here resolves length-related rendering issues.