What Is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them inside standard HTTPS traffic instead of over plain UDP port 53. Traditional DNS queries are unencrypted and visible to anyone on your network path - Your ISP, public Wi-Fi operators, and network-level eavesdroppers. DoH eliminates this exposure by wrapping DNS in TLS encryption.
DNS Query Methods Compared
| Protocol | Port | Encrypted | Authenticated | Observability |
|---|
| Plain DNS (UDP) | 53 | No | No | Fully visible on network |
| DNS over TLS (DoT) | 853 | Yes | Yes | Encrypted but identifiable by port |
| DNS over HTTPS (DoH) | 443 | Yes | Yes | Indistinguishable from HTTPS traffic |
| DNS over QUIC (DoQ) | 853 UDP | Yes | Yes | Encrypted, low latency - Emerging standard |
| DNSSEC | 53 | No (signs, not encrypts) | Yes | Visible - Prevents tampering, not snooping |
DoH Providers
| Provider | DoH URL | Privacy Policy | Filtering |
|---|
| Cloudflare | https://cloudflare-dns.com/dns-query | Minimal logging, audited | Optional (1.1.1.2 malware, 1.1.1.3 adult) |
| Google | https://dns.google/dns-query | Logs queries for 24–48 hours | None |
| Quad9 | https://dns.quad9.net/dns-query | No logging | Malicious domains blocked |
| NextDNS | https://dns.nextdns.io/[ID] | Configurable per user | Fully configurable |
| AdGuard DNS | https://dns.adguard-dns.com/dns-query | Anonymized logs | Ad and tracker blocking |
How to Enable DoH
- Firefox: Settings → Privacy & Security → DNS over HTTPS - Select your provider or enter a custom URL.
- Chrome / Edge: Settings → Privacy and security → Security → Use secure DNS - Choose a provider or enter a custom one.
- Windows 11: Settings → Network & Internet → Wi-Fi/Ethernet → DNS server assignment → Edit → set Preferred DNS to 1.1.1.1 and choose "Encrypted only (DNS over HTTPS)".
- macOS (Ventura+): third-party profiles (e.g. from Cloudflare's 1.1.1.1 app) or via configuration profile in System Settings → Privacy & Security.
- Router-level DoH: some routers (ASUS with Merlin firmware, pfSense, OPNsense) support DoH configuration that covers all devices on the network. Once enabled, you can verify which DNS server your queries are using with the DNS lookup tool.
