DNS over HTTPS (DoH) Explained
What DNS over HTTPS is, how it encrypts DNS queries over HTTPS, how DoH compares to DoT and traditional DNS, and how to enable it in your browser or system.
Every time you visit a website, your browser sends a DNS query to look up the IP address for that domain. Traditionally, this query travels in plain text over UDP port 53. Anyone on the network path (your ISP, a coffee shop's WiFi operator, a government agency monitoring traffic) can see exactly which domains you are looking up. DNS over HTTPS (DoH) solves this by sending DNS queries inside encrypted HTTPS connections, making them invisible to network observers. For a broader look at how DNS resolution works, see our DNS guide.
How Traditional DNS Exposes Your Browsing
Standard DNS uses unencrypted UDP packets. When your computer resolves example.com, it sends a query to a recursive resolver (often your ISP's resolver) in plain text. The response comes back in plain text. Every device between you and the resolver can read both the query and the response.
This is a privacy problem. Your ISP can log every domain you visit. A network operator can build a profile of your browsing habits. In some countries, ISPs are required to log DNS queries and provide them to authorities. Even if the website itself uses HTTPS, the DNS lookup that happens before the connection is unencrypted.
It is also a security problem. Because DNS traffic is unauthenticated and unencrypted, an attacker on the network path can modify responses. This is one mechanism behind DNS hijacking.
What DNS over HTTPS Is
DoH is a protocol that sends DNS queries and responses inside HTTPS (HTTP/2 or HTTP/3) connections to a DoH-compatible resolver. From a network perspective, DoH traffic looks identical to regular HTTPS web traffic on port 443. There is no separate port or protocol that distinguishes it.
The resolver operates an HTTPS endpoint (like https://dns.cloudflare.com/dns-query) that accepts DNS queries encoded in either DNS wire format or JSON. The client sends the query, the resolver processes it and returns the response, all within the encrypted HTTPS connection.
Because the connection uses TLS, the DNS data is encrypted in transit and authenticated. A network observer can see that you are connecting to the DoH resolver's IP address, but cannot see which domains you are looking up.
How DoH Works Step by Step
The DNS resolution process with DoH replaces only the link between your device and the recursive resolver. The rest of the resolution chain is unchanged.
- Your application (browser or OS) establishes a TLS connection to the DoH resolver.
- It sends an HTTP POST or GET request containing the DNS query to the resolver's DoH endpoint.
- The resolver performs standard recursive resolution (querying root servers, TLD servers, and authoritative servers) on your behalf.
- The resolver returns the DNS response inside the HTTPS response.
- Your application uses the resolved IP to connect to the website.
The recursive resolution between the DoH resolver and authoritative servers still happens over traditional DNS in most cases. DoH protects the first hop (you to the resolver), not the entire resolution chain.
DoH vs DNS over TLS (DoT)
DNS over TLS (DoT) is another encrypted DNS protocol. It predates DoH and takes a different approach.
| Feature | DoH | DoT |
|---|---|---|
| Port | 443 (HTTPS) | 853 (dedicated) |
| Protocol | HTTPS (HTTP/2 or HTTP/3) | TLS |
| Network visibility | Blends with web traffic | Identifiable on dedicated port |
| Blocking | Hard to block without breaking HTTPS | Easy to block port 853 |
| Standardized | RFC 8484 (2018) | RFC 7858 (2016) |
| Primary use | Browsers, applications | Operating systems, resolvers |
The key practical difference is that DoH is harder to block. Because it uses port 443, blocking DoH means blocking HTTPS, which breaks the web. DoT uses a dedicated port (853) that can be blocked by a firewall without affecting other traffic.
DoT is technically simpler and has slightly less overhead because it skips the HTTP layer. Many DNS resolver operators and OS-level implementations prefer DoT for this reason. Android's "Private DNS" feature, for example, uses DoT.
Both protocols provide the same level of encryption and privacy for the link between client and resolver. The choice between them depends on your use case and environment.
DoH vs Traditional DNS
| Aspect | Traditional DNS | DoH |
|---|---|---|
| Encryption | None (plain text) | TLS encryption |
| Privacy | Queries visible to network observers | Queries hidden from network observers |
| Authentication | None | TLS certificate verification |
| Port | 53 (UDP/TCP) | 443 (HTTPS) |
| Performance | Minimal overhead | Slight TLS/HTTP overhead (mitigated by connection reuse) |
| Compatibility | Universal | Requires DoH-capable client and resolver |
Performance is often cited as a concern, but in practice, the overhead is minimal. DoH connections are persistent (HTTP/2 multiplexing), so the TLS handshake cost is amortized across many queries. Major DoH providers have invested heavily in low-latency infrastructure.
Who Provides DoH
Several major organizations operate public DoH resolvers. The most widely used options include:
Cloudflare (1.1.1.1) operates https://cloudflare-dns.com/dns-query. It is one of the fastest public resolvers and was among the first to support DoH. Cloudflare commits to not logging your IP address to disk and purging query logs within 24 hours.
Google (8.8.8.8) operates https://dns.google/dns-query. Google Public DNS has been running since 2009 and added DoH support in 2019. Google logs some query data but provides a detailed privacy policy explaining what they retain.
Quad9 (9.9.9.9) operates https://dns.quad9.net/dns-query. Quad9 is a nonprofit that also provides threat-blocking, filtering out known malicious domains. It does not log personally identifiable information.
NextDNS offers customizable filtering with a DoH endpoint. You can configure ad blocking, tracker blocking, and parental controls at the DNS level while still encrypting queries.
For a broader comparison of resolver options, see our public DNS providers guide.
Browser Support
All major browsers now support DoH natively.
Firefox was the first major browser to ship DoH (2019). It defaults to Cloudflare in the US and can be configured to use any DoH provider. Firefox uses DoH in a "fallback" mode by default, meaning it tries DoH first and falls back to traditional DNS if DoH fails.
Chrome (and Chromium-based browsers like Edge and Brave) automatically upgrades to DoH if your configured system DNS provider offers a DoH endpoint. If you use Google DNS (8.8.8.8) as your system resolver, Chrome will use Google's DoH endpoint. It does not change your resolver; it only upgrades the transport.
Safari supports encrypted DNS through configuration profiles on macOS and iOS. Apple calls it "Encrypted DNS" and supports both DoH and DoT through the system-level configuration.
Enterprise Concerns
DoH is not universally welcomed. Enterprise network administrators and security teams have legitimate concerns about it.
DNS-based filtering breaks. Many organizations use DNS to enforce security policies, block malicious domains, filter inappropriate content, or log network activity. If endpoints use DoH to bypass the local DNS resolver, these controls stop working. This is why some organizations block known DoH resolver IPs at the firewall or deploy internal DoH resolvers.
Visibility decreases. Security teams that monitor DNS logs for threat detection lose visibility when queries go to an external DoH resolver. DNS logs are valuable for detecting malware command-and-control traffic, data exfiltration, and compromised devices.
Split DNS breaks. Organizations that use split-horizon DNS (resolving internal domains differently than external ones) need clients to use the internal resolver. DoH bypass can cause internal services to become unreachable.
Enterprise DoH is possible
The solution for enterprises is not to block DoH entirely but to deploy internal DoH resolvers. This gives employees the privacy benefits of encrypted DNS on external networks while maintaining organizational control and visibility on the corporate network.
How to Enable DoH
In Your Browser
Firefox: Go to Settings, search for "DNS", and click the DNS over HTTPS settings. Choose a provider or enter a custom DoH URL.
Chrome: Go to Settings > Privacy and Security > Security > Use secure DNS. Choose a provider from the list or enter a custom URL.
Edge: Go to Settings > Privacy, search, and services > Security > Use secure DNS. Same interface as Chrome.
On Your Operating System
Windows 11: Go to Settings > Network & Internet > your connection > DNS server assignment > Edit. Enter a DoH-capable DNS server IP and select "Encrypted only (DNS over HTTPS)."
macOS: Use a configuration profile or a third-party tool like dnscrypt-proxy to configure system-wide DoH.
Android: Settings > Network & Internet > Private DNS. Enter a DoT hostname (Android uses DoT natively, not DoH). For DoH, use a third-party app.
iOS: Install a DNS profile from your provider (Cloudflare's 1.1.1.1 app, for example) to enable system-wide encrypted DNS.
Security Considerations
DoH encrypts the transport but does not validate the DNS data itself. It prevents eavesdropping and tampering on the link between you and the resolver, but if the resolver itself is compromised or returns incorrect data, DoH won't help. For data authentication, you need DNSSEC, which is a complementary technology. The strongest configuration uses both: DoH for transport encryption and DNSSEC for data validation. See our DNS security guide and DNS security best practices for a complete defense strategy.
DoH also concentrates trust in the DoH resolver. If everyone uses the same two or three resolvers, those providers gain significant visibility into global browsing patterns, even if they promise not to log. Choosing a trustworthy provider matters.
References
- RFC 8484 - DNS Queries over HTTPS (DoH)
- Cloudflare - DNS over HTTPS
- Google - DNS over HTTPS
- Mozilla Wiki - DNS over HTTPS
Monitor your DNS from every angle
DNS Monitor tracks your records around the clock and alerts you when anything changes, whether you use DoH, DoT, or traditional DNS.
Try DNS Monitor