What Is DNS over HTTPS (DoH)? How It Works and How to Set It Up

Last updated: 2025-12-14

About 11 min read

What Is DNS over HTTPS?

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by transmitting them over the HTTPS protocol. Traditional DNS communication occurs in plaintext, allowing ISPs, network administrators, and malicious third parties to easily intercept and monitor which websites a user visits. DoH fundamentally addresses this problem by protecting DNS query content through encryption.

Standardized as RFC 8484 in 2018, DoH leverages existing HTTPS infrastructure, making it difficult for firewalls to selectively block DNS traffic. Because it uses the same port 443 as regular web traffic, distinguishing DoH from ordinary HTTPS connections is technically challenging.

A DNS leak occurs when DNS queries are exposed in plaintext even while using a VPN. Combining DoH with your VPN significantly reduces this risk.

The Privacy Problems with Traditional DNS

The Domain Name System (DNS) is a foundational component of the internet, but security and privacy were not considered in its original 1983 design.

Plaintext Interception Risks

Traditional DNS queries use UDP port 53 and are transmitted entirely in plaintext. This means anyone along the network path can observe which domains a user is accessing.

  • ISPs can log every DNS query and build a complete browsing history for each user
  • On public Wi-Fi, attackers on the same network can intercept DNS queries
  • State-level surveillance agencies can collect DNS data at scale as one of the easiest sources of internet activity information

DNS Spoofing and Tampering

Unencrypted DNS communication is also vulnerable to tampering. Attackers can forge DNS responses to redirect users to malicious sites - a technique known as DNS spoofing, which is also used in phishing attacks.

  • Man-in-the-middle (MITM) attacks that alter DNS responses
  • DNS cache poisoning for large-scale redirection
  • ISP DNS hijacking (redirecting non-existent domains to advertising pages)

Censorship and Content Filtering

Some countries and organizations use DNS-based content blocking. By intercepting or redirecting DNS queries for specific domains, they can restrict user access to certain websites and services.

How DoH Works: Technical Details

DoH achieves encryption by encapsulating DNS queries as HTTPS requests. For readers interested in the underlying protocol mechanics, a deep dive into DNS protocols provides valuable background.

Communication Flow

  1. The browser or operating system generates a DNS query
  2. The query is encoded in DNS wire format
  3. The encoded query is sent as an HTTPS POST (or GET) request to the DoH server
  4. The DoH server performs DNS resolution and returns the result as an HTTPS response
  5. The browser or OS decodes the response and obtains the IP address

Protocol and Port

DoH uses TCP port 443, the same as HTTPS. TLS 1.3 encryption is applied, completely concealing communication content from third parties. The same HTTPS/TLS encryption technology used for web browsing is applied directly to DNS communication, ensuring equivalent security.

DoH vs. DNS over TLS (DoT)

Besides DoH, DNS over TLS (DoT) is another DNS encryption technology. Here are the key differences:

  • DoH: Uses HTTPS (port 443). Difficult to distinguish from regular web traffic, making it harder to block
  • DoT: Uses dedicated port 853. Easier for network administrators to identify and control DNS traffic
  • DoH: Can be configured at the browser level. Easy to deploy on a per-application basis
  • DoT: Typically configured at the OS level. Can encrypt DNS for the entire system
  • DoH: May offer performance advantages through HTTP/2 and HTTP/3 multiplexing
  • DoT: Lower protocol overhead and simpler implementation

Setting Up DoH in Major Browsers

All major browsers now support DoH. Here are the setup instructions for each.

Google Chrome

  1. Enter chrome://settings/security in the address bar
  2. Enable "Use secure DNS" in the Security section
  3. Select "With Custom" and choose from Cloudflare, Google, Quad9, or other providers
  4. Chrome 125 and later also supports integration with ECH (Encrypted Client Hello)

Mozilla Firefox

  1. Go to "Settings" → "Privacy & Security"
  2. In the "DNS over HTTPS" section, select "Max Protection"
  3. Choose your provider (Cloudflare is the default)
  4. Firefox has had DoH enabled by default for US users since 2020 and expanded coverage to additional regions in 2025

Microsoft Edge

  1. Navigate to edge://settings/privacy
  2. Enable "Use secure DNS to specify how to look up the network address for websites" in the Security section
  3. Select your preferred service provider

Apple Safari

Safari on macOS 15 and iOS 18 and later uses system-level encrypted DNS settings. Configure via "System Settings" → "Network" → "DNS." Apple also provides its own encrypted DNS through iCloud Private Relay.

Major DoH Providers

To use DoH, you need to select a trustworthy DoH provider. Here are the major providers and their characteristics.

Cloudflare (1.1.1.1)

  • Endpoint: https://cloudflare-dns.com/dns-query
  • Privacy policy: Query logs deleted within 24 hours. Annual audits conducted by KPMG
  • Features: Among the fastest response times globally. Also offers 1.1.1.2 with malware blocking

Google Public DNS (8.8.8.8)

  • Endpoint: https://dns.google/dns-query
  • Privacy policy: Temporarily logs full IP addresses but anonymizes within 24–48 hours
  • Features: High reliability and stability. Supports DNSSEC validation

Quad9 (9.9.9.9)

  • Endpoint: https://dns.quad9.net/dns-query
  • Privacy policy: Headquartered in Switzerland. Does not log IP addresses at all
  • Features: Automatic malware domain blocking via threat intelligence. Operated by a nonprofit organization

Choosing the Right Provider

Like choosing a VPN, selecting a DoH provider directly impacts your privacy. Review each provider's logging policy, organizational jurisdiction, and third-party audit status to find one that matches your privacy requirements.

Benefits and Concerns

Privacy and Security Improvements

  • DNS query encryption prevents ISPs and network administrators from monitoring browsing history
  • Protection against DNS spoofing and man-in-the-middle attacks
  • Reduced risk of DNS leaks
  • Improved security on untrusted networks such as public Wi-Fi
  • Effectiveness as a censorship circumvention tool

Concerns and Criticisms

  • May complicate security monitoring on enterprise networks
  • Parental controls and DNS-based content filtering may stop functioning
  • DNS queries become concentrated among a few major providers, creating new centralization risks
  • DoH encrypts domain names but does not hide the destination IP address itself
  • Some countries may regulate or restrict the use of DoH

Why DoH Alone Is Not Enough

While DoH encrypts DNS queries, additional measures are needed for comprehensive privacy protection. Tracking via browser fingerprinting and destination leakage through TLS handshake SNI (Server Name Indication) cannot be prevented by DoH alone. For thorough privacy protection, combining DoH with a VPN, the Tor Browser, and ECH (Encrypted Client Hello) is recommended. Those looking to build a layered defense strategy will find a guide to network privacy and encryption particularly useful.

Latest Developments in 2025–2026

DNS over QUIC (DoQ) Standardization

DNS over QUIC (DoQ), standardized as RFC 9250, has gained significant traction by early 2026. DoQ combines the encryption benefits of DoH with lower latency through QUIC's 0-RTT connection establishment. AdGuard DNS and Cloudflare now offer DoQ endpoints, and Android 15 added native DoQ support, making it a compelling alternative to both DoH and DoT for privacy-conscious users.

iCloud Private Relay DNS Integration

Apple's iCloud Private Relay has expanded its DNS privacy capabilities in 2025–2026, routing all DNS queries through its dual-hop relay architecture. This provides DoH-equivalent privacy without manual configuration for Apple device users. The integration with Oblivious DoH (ODoH) ensures that even Apple cannot correlate DNS queries with user identities.

ISP Encrypted DNS Adoption

Major ISPs worldwide have begun offering encrypted DNS services to their customers by early 2026. Comcast, BT, and NTT have deployed DoH and DoT resolvers, reducing the need for users to switch to third-party DNS providers. This shift was accelerated by regulatory pressure from the EU's NIS2 Directive and growing consumer privacy awareness, representing a fundamental change in the global privacy regulatory landscape.

DNSSEC + DoH Combined Deployment

The combination of DNSSEC (DNS Security Extensions) with DoH has become the recommended best practice by early 2026. While DoH encrypts DNS queries in transit, DNSSEC validates the authenticity of DNS responses. Together, they provide both confidentiality and integrity for DNS communication. Major DoH providers now enable DNSSEC validation by default.

Encrypted Client Hello (ECH) Integration

In 2025–2026, Cloudflare and Mozilla have achieved widespread deployment of ECH. ECH encrypts the SNI during the TLS handshake, and when combined with DoH, it completely conceals not only DNS queries but also the destination domain name. ECH is enabled by default in Chrome 130+ and Firefox 142+, with Safari adding support in macOS 15.3.

Oblivious DoH (ODoH) Progress

Oblivious DoH is a technology that hides the client's IP address even from the DoH provider. By routing queries through a proxy server, it separates "who" made the query from "what" was queried. Cloudflare's ODoH service has matured significantly, and the number of compatible clients has grown substantially through early 2026.

Practical Setup Checklist

Follow these steps to strengthen your DNS privacy:

  1. Check your current DNS settings on IP Check-san and test for DNS leaks
  2. Enable DoH in your browser (refer to the setup instructions above)
  3. Select a trustworthy DoH provider (verify their logging policy and jurisdiction)
  4. Run a DNS leak test to confirm DoH is working correctly
  5. If using a VPN, verify that VPN DNS settings and DoH settings are not conflicting
  6. Combine with a privacy-focused search engine to also protect your search queries
  7. Use an ECH-compatible browser and enable SNI encryption as well

Summary

DNS over HTTPS is a critical technology for improving internet privacy. It addresses the interception, tampering, and censorship risks inherent in traditional plaintext DNS communication through HTTPS encryption. Setting it up in major browsers takes just a few minutes, so if you haven't enabled it yet, now is the time. However, DoH alone cannot provide complete privacy protection - combining it with other technologies like VPNs and ECH for a defense-in-depth approach is essential.

For definitions of the technical terms used in this article, visit our glossary.

Share
B!

Related Articles

What Is an IP Address? How It Works and How to Check Yours

Learn the basics of IP addresses, the differences between IPv4 and IPv6, public vs. private IPs, and what information can be derived from your IP address.

IPv6 Basics: A Beginner's Guide to the Next-Generation Internet Protocol

An accessible introduction to IPv6 address structure, notation, coexistence with IPv4, and privacy implications.

What Is GeoIP? How Location Is Determined from Your IP Address

Understand how GeoIP databases work, the accuracy and limitations of IP-based geolocation, privacy implications, and how to hide your location.

What Is a DNS Leak? Risks and Prevention When Using a VPN

Understand how DNS leaks occur, the risks of DNS query exposure when using a VPN, detection methods, and practical countermeasures.