DNS over HTTPS (DoH): Privacy, Setup & How It Works

The Problem: Your DNS Queries Are Exposed

When you type example.com into your browser, the first thing that happens is a DNS query: your device asks a resolver “what is the IP address of example.com?” Traditional DNS uses UDP port 53, and that traffic is completely unencrypted. Anyone watching the network - your ISP, a coffee shop router, a government interceptor - can see exactly which domains you look up, even if the site itself uses HTTPS.

This creates several concrete privacy and security problems:

• ISP surveillance: Your internet service provider can log every domain you query and sell that data to advertisers, or hand it to authorities on request.
• DNS hijacking: Attackers on the same network can intercept DNS responses and redirect you to malicious servers, even for sites you trust. This is the backbone of many phishing attacks on public Wi-Fi.
• Censorship: Governments and network operators can block domains simply by poisoning DNS responses. Traditional DNS has no authentication mechanism, so clients cannot tell if a response is genuine.
• Tracking: Advertising networks and analytics platforms correlate DNS queries with browsing profiles, even when you use incognito mode.

In 2020, Cloudflare reported that 62% of DNS queries it observed were still sent in plain text. Even users on HTTPS-only sites leaked their browsing intent through unencrypted DNS.

What Is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH), standardised in RFC 8484 (2018), solves the exposure problem by wrapping DNS queries inside standard HTTPS requests. Instead of sending a raw DNS packet to port 53, your device sends an HTTP POST or GET request to a DoH resolver endpoint over port 443 - the same port used for all web traffic.

From a network observer's perspective, a DoH query looks identical to any other HTTPS connection. They can see that you connected to 1.1.1.1 or dns.google, but they cannot read the contents of the query, and they cannot determine which domain you looked up.

DoH vs DoT: What Is the Difference?

There is a closely related standard called DNS over TLS (DoT), defined in RFC 7858. Both encrypt DNS traffic, but they differ in implementation:

• DoT uses a dedicated port (853). It is easy for network administrators to identify and block, but also easy to monitor that it is working correctly.
• DoH uses port 443, blending in with regular HTTPS. It is harder to block, but also harder to inspect at the network level - which is why some enterprise security teams prefer DoT for managed environments.

For end users on personal devices, DoH is generally the better choice because it is widely supported in browsers and operating systems without any additional configuration.

How DoH Works: A Technical Walkthrough

Here is what happens when you visit a website with DoH enabled:

1. You navigate to https://example.com
2. Your browser recognises it needs the IP for example.com
3. Instead of sending a plain UDP packet, it constructs an HTTPS request: GET https://cloudflare-dns.com/dns-query?name=example.com&type=A
4. The DoH resolver responds with a JSON or DNS wire-format response over the encrypted HTTPS connection
5. Your browser extracts the IP address and establishes the connection to example.com

The entire query-response cycle is encrypted with TLS 1.3, providing the same confidentiality guarantees as your online banking session. The DoH resolver does see your query (you must trust your resolver), but your ISP and network intermediaries do not.

# Example DoH query using curl (application/dns-json)
curl -s "https://cloudflare-dns.com/dns-query?name=example.com&type=A" \
  -H "Accept: application/dns-json" | python3 -m json.tool

# Response includes:
# {
#   "Status": 0,
#   "Answer": [{"name": "example.com", "type": 1, "TTL": 3600, "data": "93.184.216.34"}]
# }

Popular DoH Providers

These are the most widely used and trusted DoH resolvers:

• Cloudflare (1.1.1.1): https://cloudflare-dns.com/dns-query - Privacy-first, no query logging after 24 hours, audited annually. Fastest resolver in most regions.
• Google Public DNS: https://dns.google/dns-query - Highly reliable, global anycast network. Logs queries for security analysis (see their privacy policy).
• NextDNS: https://dns.nextdns.io/your-id - Configurable filtering, parental controls, per-device analytics. Free tier available.
• Quad9 (9.9.9.9): https://dns.quad9.net/dns-query - Blocks known malicious domains using threat intelligence feeds. Non-profit operated.
• AdGuard DNS: https://dns.adguard.com/dns-query - Built-in ad and tracker blocking at the DNS level.

Step-by-Step: How to Enable DoH

Google Chrome

1. Open Chrome and navigate to chrome://settings/security
2. Scroll to Advanced → Use secure DNS
3. Select With: Custom and enter your preferred DoH URL (e.g., https://cloudflare-dns.com/dns-query)
4. Click outside the field - Chrome saves automatically

Mozilla Firefox

1. Open Firefox and navigate to about:preferences#general
2. Scroll to the bottom and click Settings... under Network Settings
3. Check Enable DNS over HTTPS
4. Choose a provider or enter a custom URL
5. Click OK

Microsoft Edge

1. Navigate to edge://settings/privacy
2. Find Security → Use secure DNS to specify how to look up the network address for websites
3. Toggle it on and choose a provider

macOS (System-wide via Profile)

macOS does not natively expose a DoH setting in System Preferences. The most reliable approach is installing a configuration profile. Cloudflare provides a ready-to-install profile:

# Download Cloudflare's DoH profile for macOS
# Visit: https://1.1.1.1/family/ or https://developers.cloudflare.com/1.1.1.1/setup/macos/
# Install the .mobileconfig file and approve it in System Preferences > Profiles

Alternatively, NextDNS provides a macOS app that sets up DoH system-wide with a single click.

Windows 11

1. Open Settings → Network & Internet → Wi-Fi (or Ethernet) → your connection
2. Click Edit next to DNS server assignment
3. Switch to Manual, enter 1.1.1.1 as Preferred DNS, set DNS over HTTPS to On (automatic template)
4. Save

Router-Level DoH (Protects All Devices)

If you want DoH to apply to every device on your network (phones, smart TVs, IoT devices), configure it on your router. The exact steps depend on your router firmware, but the pattern is the same:

# On routers running OpenWrt, install stubby:
opkg install stubby
# Edit /etc/stubby/stubby.yml to add your DoH upstream resolver
# Restart stubby and point dnsmasq to 127.0.0.1:5453

For consumer routers, NextDNS has a dedicated router setup guide that works with most firmware including Asus Merlin, DD-WRT, and pfSense.

Verifying DoH Is Active

After enabling DoH, you should verify it is actually working. The simplest method:

1. Visit https://1.1.1.1/help - Cloudflare shows whether your queries are encrypted
2. Use dnsleaktest.com - runs multiple lookups and shows which resolvers handled them
3. Use our DNS Lookup tool to query your own domain and see the resolver chain

If you see your ISP's resolver in the results, DoH is not active or is being bypassed at the OS level by another application.

Limitations and Trade-offs

DoH is not a complete privacy solution. Here is what it does and does not protect:

• It protects: The content of your DNS queries from your ISP and network observers
• It does not protect: Your IP address from the websites you visit, SNI (Server Name Indication) in TLS handshakes (though Encrypted Client Hello addresses this), or traffic metadata
• You still trust your resolver: Cloudflare or Google see your queries. Choose a resolver whose privacy policy you accept.
• Enterprise bypass: Corporate networks may use WPAD or DNS interception to bypass browser DoH settings. Check with your IT team before enabling DoH on work devices.

Frequently Asked Questions

Does DoH slow down my browsing?

Slightly, on the very first connection to the DoH resolver, because a TLS handshake must be established. After that, the connection is reused and query latency is comparable to standard DNS. In practice, Cloudflare's 1.1.1.1 DoH endpoint often returns results faster than most ISP resolvers because of its global anycast network. The overhead is imperceptible in normal browsing.

Will DoH break anything on my network?

For most home users, no. The one case where DoH can cause issues is if your router uses DNS-based split-horizon routing - where internal hostnames (like printer.local or VPN resources) resolve differently on your local network than on the public internet. In that case, DoH bypasses your local resolver and those internal names fail to resolve. Check whether your VPN client disables DoH automatically (most do).

Is DoH the same as a VPN?

No. A VPN encrypts all your traffic and hides your IP address from websites. DoH only encrypts DNS queries and hides them from your ISP - but the websites you visit still see your real IP. The two technologies are complementary: DoH prevents DNS leaks even inside a VPN tunnel, and many commercial VPNs now include DoH internally.

Can my ISP block DoH?

Technically yes - an ISP could block known DoH endpoints by IP. In practice, very few do, because DoH traffic runs over port 443 alongside all other HTTPS traffic, making blanket blocking impractical without breaking websites. Some highly restrictive networks (corporate or government) do block specific DoH resolver IPs, which is why having a fallback or using a lesser-known resolver can help.

Does enabling DoH in Chrome protect other apps?

No. Browser-level DoH only protects queries made by that browser. Other apps - your mail client, command-line tools, games - use the operating system resolver, which may still use unencrypted DNS. For full coverage, configure DoH at the OS level (Windows 11, macOS profile) or at the router level.

What is Encrypted Client Hello (ECH) and how does it relate?

Even with DoH, your TLS handshake still leaks the target hostname via the Server Name Indication (SNI) field. Encrypted Client Hello (ECH), formerly ESNI, is a newer TLS extension that encrypts the SNI field, hiding the target domain from network observers. When combined with DoH, ECH closes most of the remaining metadata leakage. Firefox and Cloudflare began rolling out ECH support in 2023; check Cloudflare's ECH status page for current browser support.

The Bottom Line

DNS over HTTPS is one of the simplest, highest-impact privacy improvements you can make. It takes less than two minutes to enable in Chrome or Firefox, costs nothing, and protects one of the most persistent privacy leaks in modern networking. Pair it with a trustworthy resolver (Cloudflare for privacy, Quad9 for malware blocking, NextDNS for custom filtering), verify it is working, and you have meaningfully reduced your exposure to ISP surveillance and DNS hijacking attacks.

Use our free tool to inspect DNS records for any domain and see how they are configured: Use our DNS Lookup tool here →