DNS over HTTPS (DoH)

What Is DNS over HTTPS

DNS over HTTPS (DoH) is a technology that encrypts DNS queries - which were traditionally sent in plaintext - using the HTTPS protocol. Standardized in RFC 8484, it has been implemented in major browsers since around 2020.

Traditional DNS communication is sent in plaintext over UDP/TCP on port 53, making it easy for ISPs, network administrators, or attackers on the same network to intercept which domains you are visiting. DoH encrypts DNS queries by sending them over HTTPS on port 443, making them indistinguishable from regular web traffic.

Differences Between DoH and DoT

In addition to DoH, there is another DNS encryption method called DoT (DNS over TLS).

From a privacy perspective, DoH has the advantage of concealing the very existence of DNS traffic. On the other hand, for enterprise network administrators, DoT is easier to identify and control.

How to Set Up DoH in Major Browsers

DoH can be easily enabled in major browsers.

• Firefox: Settings → Privacy & Security → "DNS over HTTPS" section to enable. Cloudflare's DoH server is selected by default. A custom URL can also be specified.
• Chrome: Settings → Privacy and Security → Security → Enable "Use secure DNS." If your ISP's DNS supports DoH, it will automatically switch to DoH.
• Edge: Same steps as Chrome. Settings → Privacy, search, and services → Security → "Use secure DNS."
• Safari: DoH is enabled via a configuration profile in macOS/iOS settings. There is no browser-level setting.

Configuring DoH at the OS level encrypts DNS traffic for all applications, not just the browser. On Windows 11, you can specify a DoH-compatible server under "Settings → Network & Internet → DNS server assignment."

Considerations and Debates Around DoH

While DoH improves privacy, it has sparked several debates.

• Concentration on DNS providers: Enabling DoH concentrates DNS queries on a few providers like Cloudflare and Google. Critics argue this merely shifts the knowledge of "who is viewing what" from the ISP to the DNS provider.
• Conflicts with enterprise networks: If an organization uses DNS filtering to block access to malware sites, DoH may bypass that filtering.
• Impact on parental controls: If DNS-based content filtering is configured on a home router, devices with DoH enabled will bypass the filtering.

When using a VPN alongside DoH, the ideal setup is to use the VPN provider's DNS server with DoH. This minimizes the risk of DNS leaks while also ensuring DNS traffic is encrypted.

To learn more about this topic, see What Is DNS over HTTPS (DoH)? How It Works and How to Set It Up.

Common Misconceptions

Enabling DoH encrypts all your traffic

DoH only encrypts the DNS query portion. The actual communication with websites is handled by HTTPS (TLS). Additionally, the destination IP address is still visible on the network, so it does not provide complete anonymity.

Using DoH hides everything from your ISP

While DoH hides domain name queries, the destination IP address remains visible to your ISP. The domain name is also included in the SNI (Server Name Indication) sent during the TLS handshake. Fully hiding this requires the adoption of ECH (Encrypted Client Hello).

DoH vs. DoT Comparison

Related Terms

Related Articles