What Is DNS over HTTPS (DoH)? Encrypted DNS Explained

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them inside standard HTTPS traffic on port 443. Traditional DNS sends queries in plain text on port 53, meaning your ISP, network administrator, or anyone monitoring traffic can see every domain name you look up. DoH wraps those queries in the same encryption used by every HTTPS website, making DNS traffic indistinguishable from regular web browsing. It was standardized in RFC 8484 (2018) and is now supported by all major browsers and operating systems.

Why Standard DNS Is a Privacy Problem

Every time you type a website address or click a link, your device sends a DNS query. These queries contain the domain name you’re trying to reach. Standard DNS sends these queries in plain text on UDP port 53.

This means your ISP has a complete log of every domain you visit. Even if you’re using HTTPS and the actual page content is encrypted, your DNS queries show exactly where you went: facebook.com, reddit.com, therapist-near-me.com, job-search-website.com.

In many countries, ISPs are legally required to retain this data. In others, they sell it to advertisers. In some, government agencies collect it for surveillance. Regardless of the specifics, plain text DNS is a significant privacy gap.

DoH closes this gap by encrypting DNS queries so they look like regular HTTPS traffic. Your ISP sees you making HTTPS connections to a DNS resolver’s IP address, but can’t read the queries or responses.

How DoH Works

Instead of sending DNS queries as bare UDP packets, DoH:

Establishes an HTTPS connection to a DoH resolver (e.g., https://cloudflare-dns.com/dns-query)
Sends DNS queries as HTTP POST or GET requests within that encrypted connection
Receives DNS responses as HTTP responses
Caches the results normally

The format uses DNS wireformat or JSON, depending on the implementation. The queries travel over port 443 (standard HTTPS port), making them indistinguishable from regular web traffic.

DoH vs DoT (DNS over TLS)

DNS over TLS (DoT) is an alternative encryption approach:

Feature	DoH	DoT
Port	443 (HTTPS)	853 (dedicated)
Traffic appearance	Looks like HTTPS browsing	Identifiable as DNS traffic
Blockability	Very hard to block	Easy to block (just block port 853)
Standardization	RFC 8484	RFC 7858
Browser support	Excellent	Limited (mostly OS-level)
Adoption	Higher (browser-native)	Lower

DoH is harder to block because it uses the same port as all HTTPS traffic. Blocking DoH means blocking HTTPS, which means blocking the web. DoT uses its own port, so censors can block it trivially.

This is why DoH is preferred in environments with censorship, but it also raises concerns among enterprise network administrators who want visibility into DNS traffic for security monitoring. It’s a genuine tension between user privacy and network security.

How to Enable DoH

Firefox

Settings → Privacy & Security → DNS over HTTPS → select “Max Protection” and choose a provider (Cloudflare, NextDNS, or custom).

Chrome

Settings → Privacy and Security → Security → “Use secure DNS” → choose a provider.

Edge

Settings → Privacy, Search, and Services → Security → “Use secure DNS” → choose a provider.

Windows 11

Settings → Network & Internet → your connection → DNS server assignment → Edit → switch to “DNS over HTTPS” and enter a resolver that supports it.

System-wide (any OS)

Install a local DoH proxy like cloudflared or dnscrypt-proxy that runs a local DNS server, forwards queries via DoH, and returns the responses to your OS.

Major DoH Providers

Provider	DoH Endpoint	Notes
Cloudflare	`https://cloudflare-dns.com/dns-query`	Fastest, privacy-focused
Google	`https://dns.google/dns-query`	Well established
Quad9	`https://dns.quad9.net/dns-query`	Malware blocking
NextDNS	`https://dns.nextdns.io`	Customizable filtering
AdGuard	`https://dns.adguard.com/dns-query`	Ad blocking

Criticisms and Controversies

DoH isn’t universally loved. Legitimate criticisms include:

Centralization: If everyone uses Cloudflare’s DoH (which Firefox defaults to), it concentrates DNS data in one company’s hands. Previously, DNS was distributed across thousands of ISP resolvers.

Enterprise visibility: Corporate security teams use DNS monitoring to detect malware, data exfiltration, and policy violations. DoH bypasses these monitors if browsers handle DNS independently.

Parental controls: Some DNS-based parental control systems are defeated by DoH, since the browser resolves DNS outside the network’s configured resolver.

These are real concerns. The counterargument is that DNS was never designed for monitoring purposes, and building surveillance infrastructure into a naming protocol creates a privacy problem that affects everyone.

Test It Yourself

DNS Lookup

Check how any domain resolves and test your DNS configuration.

Open Tool →

Frequently Asked Questions

Yes. Firefox, Chrome, Edge, Safari, and Brave all support DNS over HTTPS natively. Firefox enables it by default using Cloudflare. Chrome and Edge enable it automatically if your configured DNS server supports DoH.

Barely. DNS over HTTPS adds minimal overhead compared to standard DNS. The TLS handshake is reused for multiple queries, and HTTP/2 connection pooling keeps latency low. Most users won't notice any difference.

Your ISP can't see your DNS queries, but they can still see the IP addresses you connect to (since they route your traffic) and potentially the domain name in the TLS SNI field. DoH is one layer of privacy, not complete invisibility.