What Is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them inside standard HTTPS traffic instead of over plain UDP port 53. Traditional DNS queries are unencrypted and visible to anyone on your network path - Your ISP, public Wi-Fi operators, and network-level eavesdroppers. DoH eliminates this exposure by wrapping DNS in TLS encryption.
DNS Query Methods Compared
| Protocol | Port | Encrypted | Authenticated | Observability |
|---|---|---|---|---|
| Plain DNS (UDP) | 53 | No | No | Fully visible on network |
| DNS over TLS (DoT) | 853 | Yes | Yes | Encrypted but identifiable by port |
| DNS over HTTPS (DoH) | 443 | Yes | Yes | Indistinguishable from HTTPS traffic |
| DNS over QUIC (DoQ) | 853 UDP | Yes | Yes | Encrypted, low latency - Emerging standard |
| DNSSEC | 53 | No (signs, not encrypts) | Yes | Visible - Prevents tampering, not snooping |
DoH Providers
| Provider | DoH URL | Privacy Policy | Filtering |
|---|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query | Minimal logging, audited | Optional (1.1.1.2 malware, 1.1.1.3 adult) |
| https://dns.google/dns-query | Logs queries for 24–48 hours | None | |
| Quad9 | https://dns.quad9.net/dns-query | No logging | Malicious domains blocked |
| NextDNS | https://dns.nextdns.io/[ID] | Configurable per user | Fully configurable |
| AdGuard DNS | https://dns.adguard-dns.com/dns-query | Anonymized logs | Ad and tracker blocking |
How to Enable DoH
- Firefox: Settings → Privacy & Security → DNS over HTTPS - Select your provider or enter a custom URL.
- Chrome / Edge: Settings → Privacy and security → Security → Use secure DNS - Choose a provider or enter a custom one.
- Windows 11: Settings → Network & Internet → Wi-Fi/Ethernet → DNS server assignment → Edit → set Preferred DNS to 1.1.1.1 and choose "Encrypted only (DNS over HTTPS)".
- macOS (Ventura+): third-party profiles (e.g. from Cloudflare's 1.1.1.1 app) or via configuration profile in System Settings → Privacy & Security.
- Router-level DoH: some routers (ASUS with Merlin firmware, pfSense, OPNsense) support DoH configuration that covers all devices on the network. Once enabled, you can verify which DNS server your queries are using with the DNS lookup tool.
How a DoH Query Actually Works
Defined in RFC 8484, DoH wraps an ordinary DNS message in an HTTPS request:
| Step | What Happens |
|---|---|
| 1 | Your browser builds a standard DNS query (e.g. "A record for example.com") in binary wire format |
| 2 | It sends the query as an HTTPS GET or POST to the resolver's endpoint (e.g. https://cloudflare-dns.com/dns-query) with content type application/dns-message |
| 3 | The request rides an ordinary TLS connection on port 443 - To anyone watching the network, it is indistinguishable from regular web traffic to that resolver |
| 4 | The resolver answers inside the same encrypted channel, and your browser caches the result exactly as with classic DNS |
DoH vs DoT in one sentence each
DNS over TLS (DoT, RFC 7858) encrypts the same data on its own dedicated port 853 - Cleaner for network operators to manage, but trivially blockable for the same reason. DoH hides inside port 443, making it nearly impossible to block without breaking HTTPS - Which is precisely why browsers chose it and some network administrators resent it.
What DoH Does Not Protect
- Your destination IPs remain visible - An observer no longer sees the lookup for example.com, but still sees you connect to the IP it resolves to.
- The TLS SNI field still names the site you visit in plaintext unless Encrypted Client Hello (ECH) is also in play.
- The DoH resolver itself sees every query - You are shifting trust from your ISP to Cloudflare, Google, or Quad9, not eliminating it.
- It can bypass network-level parental controls and corporate filters that rely on observing DNS - The main operational objection to it.
- It is not a VPN: only the name lookups are encrypted, not your traffic.
How to Verify DoH Is Working
| Step | Action |
|---|---|
| 1 | Enable DoH using the browser or OS paths in the section above |
| 2 | Cloudflare users: open 1.1.1.1/help - It reports "Using DNS over HTTPS (DoH): Yes" when active |
| 3 | Run a DNS lookup and confirm the answering resolver is the provider you configured, not your ISP |
| 4 | If you use a VPN, run the leak test - A DNS leak means queries are escaping outside both the tunnel and DoH |
What This Means for You
Plain DNS is the last major piece of everyday browsing that still travels unencrypted, and DoH closes it with one settings toggle. Whether that matters depends on whose visibility you mind: on home broadband it mainly stops ISP-level query logging, while on hotel, airport, and cafe networks it blocks both snooping and the DNS-hijack tricks rogue hotspots rely on - Arguably its strongest case, alongside the rest of the public Wi-Fi playbook. Pick a resolver whose logging policy you accept, since it inherits exactly the visibility your ISP loses; pair DoH with a VPN when you want destinations hidden too.
Frequently Asked Questions
Does DNS over HTTPS hide my browsing from my ISP?
It hides your DNS queries - Your ISP can no longer log the domain lookups themselves. But it still routes your actual connections, so destination IPs and unencrypted SNI values remain observable. DoH meaningfully reduces what your ISP sees; only a VPN removes it from the path entirely.
Does DoH slow down browsing?
Barely, and sometimes it is faster. DoH adds TLS overhead to the first query, but connections to the resolver are reused, and major DoH providers often answer quicker than ISP resolvers. Any difference is milliseconds per new domain - Imperceptible next to page load times.
Should I use DoH and a VPN together?
They stack cleanly. A VPN already tunnels your DNS to the VPN provider's resolver; DoH on top encrypts queries even from that resolver's network and protects you when the VPN is off. Just verify with a leak test that queries actually follow the path you intend.