DNS over HTTPS (DoH): What is it, and how does it work?

What is DNS over HTTPS?

DNS over HTTPS (DoH) encrypts your DNS traffic so no one can easily see which websites you're trying to visit. Instead of sending DNS queries to DNS servers in plain text, where ISPs, network admins, or bad actors can spy on them, DoH wraps them in HTTPS, the same protocol that secures your connection to websites.

That means your DNS requests get the same encryption and privacy protections as your online banking or shopping. It makes it much harder for anyone to snoop on your activity or tamper with your DNS data.

Traditional DNS queries are wide open by default. Anyone on the same network (or sitting between you and the DNS server) can intercept or manipulate your requests. That opens the door to attacks like DNS spoofing, MITM attacks, and simple surveillance. DoH shuts most of that down.

Mozilla Firefox was first out of the gate with DoH back in 2018. Since then, it's been picked up by Chrome, Windows, macOS, iOS, and Android. Most modern systems now support DoH to prevent eavesdropping and DNS data manipulation.

Disclaimer: It's important to note that under certain conditions, manually configuring DoH and using it alongside a VPN can cause DNS queries to bypass the VPN tunnel, making them readable to unauthorized parties, even when the VPN connection is active. While it does not occur on default configurations without adjusting DoH settings manually on browsers like Chrome, Edge, Brave, or Firefox, all of which have DoH enabled by default, it is to be expected when a user explicitly sets up DoH in their browser preferences. Based on the information above, users should stay vigilant and accept full responsibility for any manual configurations, which should be made solely at their own discretion.

How does DNS over HTTPS work? 

DoH keeps the usual DNS steps but tunnels them through an HTTPS connection. Here's the quick flow:

1. 1.Your browser initiates a lookup. When you try to visit a website, the browser needs its IP address, so it creates a DNS query.
2. 2.The query gets wrapped in HTTPS. Instead of broadcasting on port 53, the browser tucks the DNS packet inside an HTTPS request and encrypts it with the TLS protocol.
3. 3.The request is transmitted to a DoH-compatible resolver. The encrypted bundle travels over port 443 to a resolver that understands DoH (for example, Cloudflare, Google, Quad9).
4. 4.The resolver unwraps the package and answers. The resolver decrypts the request, looks up the IP address, and re-encrypts the response in the same HTTPS tunnel.
5. 5.The browser unwraps the package and connects. Your device decrypts the reply, gets the IP address, and loads the site. From that point on, the whole session stays under standard HTTPS protection.

Should I use DNS over HTTPS? Pros and cons 

Turning on DoH is one of the easiest online privacy upgrades you can make, but it's not always the right choice for every situation. It's always worth understanding the trade-offs before flipping the switch.

Bottom line: If you value privacy and aren't relying on DNS-based tools for filtering or monitoring, DoH is usually worth turning on. Just make sure your resolver is trustworthy and you know how to turn it off if needed.

DNS over HTTPS in popular browsers: Chrome, Firefox, Opera, and Edge

Most modern browsers support DoH out of the box. You don't need to install anything extra — just flip a switch in the settings, and you're good to go. You can configure DNS clients to use DoH from their DNS settings.

Chrome 

1. 1.Go to "Settings" > "Privacy & security" > "Security."
2. 2.Scroll down to "Use secure DNS." 
3. 3.Toggle "With your current provider" or specify a custom DoH hostname. 

If your DNS provider supports DoH, Chrome automatically upgrades your DNS queries to use it with no extra setup required.

Firefox

1. 1.Go to "Settings" > "Privacy & security."
2. 2.Scroll to "DNS over HTTPS" and enable it. 
3. 3.Choose between "Default protection," "Increased protection," or "Max protection."

Firefox was the first to roll out DoH and now enables it by default in the US, Canada, and parts of the EU.

Opera

1. 1.Go to "Preferences" > "System."
2. 2.Turn on "Use DNS-over-HTTPS instead of the system DNS." 
3. 3.Pick Cloudflare or Google, or enter a custom DNS resolver URL such as https://dns10.quad9.net/dns-query.

Microsoft Edge

1. 1.Go to "Settings" > "Privacy, search, and services."
2. 2.Scroll to "Security" and toggle "Use secure DNS."
3. 3.Choose your current provider or a custom one.

How to enable DNS over HTTPS on different platforms

Browser settings only cover one app. If you want everything on your machine to use encrypted lookups, flip the switch at the OS level.

Windows 11

1. 1.Go to "Settings" > "Network & internet" > "Wi-Fi" or "Ethernet."
2. 2.Choose your active network, scroll to "DNS server assignment," and click "Edit."
3. 3.Enter the IP address of a DoH-ready DNS server.
   • For Cloudflare: 1.1.1.1 (preferred) and 1.0.0.1 (alternate).
   • For Google: 8.8.8.8 (preferred) and 8.8.4.4 (alternate).
4. 4.Change the "Preferred DNS encryption" setting to "Encrypted only (DNS over HTTPS)" for both IP addresses.

Note: If the resolver doesn't support DoH and you've chosen "Encrypted only," queries will fail rather than fall back to plaintext. You can also use "Encrypted preferred, unencrypted allowed." If you do, the DNS client will try to use DoH and fall back to unencrypted DNS queries if DoH fails.

Windows Group Policy

1. 1.Open Group Policy Management.
2. 2.Right-click the GPO for which you want to enable the setting and choose "Edit."
3. 3.Go to "Computer configuration" > "Policies" > "Administrative templates" > "Network" > "DNS client."
4. 4.Double-click "Configure DNS over HTTPS (DoH) name resolution" and set it to "Enabled."
5. 5.In the "Configure DoH options" section, pick "Allow DoH" (or "Require DoH" if you want no fallback).

Roll that GPO out, and every domain-joined device will inherit the setting automatically.

macOS 14 (Sonoma) and later

1. 1.Go to "System settings" > "Network" and click on your network's details.
2. 2.Under "DNS", click the "+" icon and choose a provider flagged as "Supports DoH." 

Android 9 (Pie) and later

1. 1.Go to "Settings" > "Network & internet" > "Private DNS."
2. 2.Choose "Private DNS provider hostname" and enter, for example, "dns.google" or "dns.quad9.net."

iOS/iPadOS 17 and later

Apple lets you install an Encrypted DNS profile in two ways:

• Downloading the profile from your chosen provider.
• Using a mobile device management (MDM) system to push it fleet-wide.

How to test DNS over HTTPS and check your settings

Not sure if DoH is active or want to know what DNS you're actually using? It starts by answering the simple question: What is my DNS server?

You can check it by using:

• Cloudflare's tool. Visit https://1.1.1.1/help to confirm if DoH is enabled and which DNS server is handling your requests.
• DNSLeakTest.com. Check your current DNS provider and whether you're leaking unencrypted queries.
• Command line. On Windows, open PowerShell and run: type nslookup -type=txt doh.opendns.com. It'll reveal if you're using DoH and which resolver replied.
• Network settings. Go to your device's DNS settings to see what DNS server is configured.

Changing or disabling DNS over HTTPS

DoH is great for privacy, but it's not always what you need. Maybe you're troubleshooting a captive portal, using a local DNS filter like Pi-hole, or working with split DNS inside a VPN. In those cases, encrypted DNS can get in the way, and every platform gives you a way to turn it off:

• Windows 11. Flip the "Encrypted only" selector back to "Unencrypted."
• Chrome/Edge. Toggle "Secure DNS" to "Off."
• Firefox. Choose "Off" or set "network.trr.mode = 5" in "about:config" to disable only on specific networks.
• Group Policy. Choose "Prohibit DoH" in the above-described "DNS client" node. 

DNS over HTTPS vs. DNS over TLS and other protocols

DoH isn't the only way to encrypt DNS traffic. DNS over TLS (DoT) does the same core job, but it takes a different route to get there. DoH sends DNS traffic inside standard HTTPS, blending in with regular web browsing. DoT, on the other hand, encrypts DNS at the transport layer over its own dedicated port, keeping it separate from your other internet traffic.

Both DoH and DoT rely on TLS, the modern replacement for SSL. If you're wondering about TLS vs. SSL, TLS (Transport Layer Security) is the newer, more secure protocol. SSL (Secure Socket Layer) is deprecated and shouldn't be used in any modern encrypted DNS setup. All DoH and DoT connections use TLS 1.2 or 1.3 under the hood.

Then there's DNSSEC (Domain Name System Security Extensions), which doesn't encrypt your queries but adds cryptographic signatures to DNS records. It verifies the authenticity of the data and helps prevent attacks like DNS cache poisoning. It's not a privacy tool, but it's still an important security layer, especially on the resolver side.

And finally, DoQ (DNS over QUIC) is the newcomer. It combines the encryption of DoH with the speed of UDP (User Datagram Protocol) via QUIC, a modern transport protocol built for performance. It's fast, secure, and promising but still experimental and not widely supported yet.