Every time you visit a website, your device first asks a DNS resolver to translate the domain name into an IP address. For most of the internet's history, that question and its answer travelled across the network in plain text — readable by your ISP, network operators, and anyone in between. DNS over HTTPS (DoH) closes that gap by encrypting DNS queries inside the same secure channel that already protects your web browsing.
What Is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a protocol that sends DNS queries and responses over an encrypted HTTPS connection instead of the traditional, unencrypted DNS transport. Defined in RFC 8484, it lets your browser or operating system resolve domain names by making an HTTPS request to a special DoH endpoint — a URL like https://cloudflare-dns.com/dns-query — rather than sending a raw DNS packet to port 53.
Because the query is carried inside standard HTTPS, it is encrypted end to end between your device and the resolver, and it looks like ordinary web traffic on the network. That single change delivers two things at once: privacy (nobody can read your DNS lookups) and integrity (nobody can silently alter the answers).
The Problem DoH Solves: Plaintext DNS
Traditional DNS (sometimes called "Do53" because it uses port 53) was designed in the 1980s with no encryption. Every lookup your device makes is visible to any party that can observe the network path:
- Eavesdropping — your ISP, a public Wi-Fi operator, or anyone sniffing the network can see every domain you visit, even when the sites themselves use HTTPS.
- Tampering — a network operator can intercept a plaintext DNS response and return a different IP address, redirecting you to the wrong server (DNS spoofing or hijacking).
- Censorship and blocking — plaintext DNS makes it trivial to block specific domains by filtering DNS traffic.
HTTPS solved eavesdropping for the content of websites years ago, but the DNS lookup that happens before the connection remained exposed. DoH extends encryption to that first, revealing step.
How DNS over HTTPS Works
At a high level, DoH replaces the raw UDP/TCP query to port 53 with an HTTPS request to a resolver that speaks the DoH protocol. Here is the sequence:
Step 1 — The client builds a DNS query
Your browser or OS constructs a normal DNS query (for example, an A record request for showdns.net), just as it would for traditional DNS.
Step 2 — The query is sent over HTTPS
Instead of a port-53 packet, the query is sent as an HTTPS request to the resolver's DoH endpoint on port 443. RFC 8484 defines a binary wire-format (using the application/dns-message content type), and many resolvers also expose a convenient JSON API.
# Resolve showdns.net via Cloudflare's DoH JSON API
curl -H 'accept: application/dns-json' \
'https://cloudflare-dns.com/dns-query?name=showdns.net&type=A'Step 3 — The resolver answers over the same channel
The DoH resolver performs the recursive lookup (querying root, TLD, and authoritative nameservers as needed) and returns the answer inside the encrypted HTTPS response. Your device then uses the resolved IP address to connect to the website.
Because it rides on port 443 alongside all other web traffic, DoH is difficult to distinguish from normal HTTPS browsing — which is exactly why it is effective at resisting surveillance and blocking.
DoH vs Traditional DNS
The table below summarises how DoH differs from classic plaintext DNS:
- Port — traditional DNS uses port 53; DoH uses port 443 (HTTPS).
- Encryption — traditional DNS is plaintext; DoH is encrypted with TLS.
- Visibility on the network — traditional DNS is easy to inspect and filter; DoH is indistinguishable from ordinary HTTPS.
- Tamper resistance — traditional DNS answers can be altered in transit; DoH answers are protected by TLS integrity.
DoH vs DoT (DNS over TLS)
DoH is not the only way to encrypt DNS. DNS over TLS (DoT), defined in RFC 7858, also encrypts DNS with TLS — but it runs on a dedicated port, 853, rather than blending in with web traffic. The practical difference:
- DoH (port 443) — hides inside normal HTTPS, so it is hard for networks to detect or block. Favoured by browsers.
- DoT (port 853) — uses a distinct port, which is easier for network administrators to identify, monitor, or block, but also easier to manage at the OS level. Favoured by mobile operating systems (Android calls it "Private DNS").
Both provide the same core encryption; they differ mainly in where the encrypted traffic sits and who tends to control it.
Benefits of DoH
- Privacy — your ISP and network operators can no longer log which domains you look up.
- Integrity — TLS prevents on-path attackers from spoofing or altering DNS answers.
- Resistance to blocking — because DoH looks like HTTPS, it is hard to selectively filter.
- Protection on untrusted networks — on public Wi-Fi, DoH stops the local network from snooping on or manipulating your lookups.
Limitations and Criticisms of DoH
DoH is not a privacy silver bullet, and it has genuine trade-offs worth understanding:
- You trust the resolver instead of the ISP — your queries are hidden from the network, but the DoH provider still sees every domain you resolve. You are shifting trust, not eliminating it.
- It does not hide the destination IP — after DNS resolves, your device still connects to the site's IP address, which the network can observe.
- Enterprise and parental controls — DoH can bypass network-level DNS filtering that organisations and families rely on for security or content control.
- Centralisation concerns — routing DNS to a handful of large DoH providers concentrates visibility into internet activity.
Which Providers Support DoH?
Most major public resolvers offer DoH endpoints. Common ones include:
Cloudflare https://cloudflare-dns.com/dns-query
Google https://dns.google/dns-query
Quad9 https://dns.quad9.net/dns-query
AdGuard https://dns.adguard-dns.com/dns-query
NextDNS https://dns.nextdns.io/Each offers different features — Quad9 and AdGuard filter known-malicious domains, NextDNS adds customisable blocklists, and Cloudflare focuses on speed and a strict no-logging stance. You can compare options in our guide to the best DNS providers, or browse the full public DNS resolver directory.
How to Enable DoH
DoH can be turned on in most modern browsers and operating systems:
- Chrome & Edge — Settings → Privacy and security → Use secure DNS.
- Firefox — Settings → Privacy & Security → Enable DNS over HTTPS.
- Windows 11 — Settings → Network & internet → your adapter → DNS server assignment → set encryption to "Encrypted only (DoH)".
- Routers & whole networks — some routers and DNS forwarders (such as those running dnsmasq or AdGuard Home) can perform DoH upstream for every device.
After enabling it, verify that lookups still resolve correctly with the ShowDNS DNS Lookup tool.
Does DoH Replace DNSSEC?
No — they solve different problems and complement each other. DoH encrypts the connection between you and your resolver (transport privacy). DNSSEC cryptographically signs DNS records so a resolver can verify they were not forged at the source (data authenticity). DoH hides your queries; DNSSEC proves the answers are genuine. Ideally you want both. Learn more in What Is DNSSEC?
Is DoH Right for You?
For most individuals — especially on public or untrusted networks — DoH is a clear privacy and security win, provided you choose a resolver you trust. For network administrators, the same properties that protect users can undermine legitimate DNS-based filtering, so DoH deployment in managed environments needs a deliberate policy rather than a per-device toggle.
Frequently Asked Questions
Is DNS over HTTPS safe?
Yes. DoH improves safety by encrypting DNS queries so they cannot be read or altered in transit. The main consideration is trust: your chosen DoH provider can see your lookups, so pick one with a transparent privacy policy.
Does DoH make me anonymous?
No. DoH hides your DNS queries from the network, but the DoH resolver still sees them, and your device still connects to destination IP addresses that the network can observe. DoH is a privacy improvement, not full anonymity — for that you would need tools such as a VPN or Tor.
Is DoH the same as a VPN?
No. A VPN encrypts and reroutes all of your traffic through a remote server, changing your apparent IP address. DoH only encrypts DNS lookups. They can be used together, and each protects a different part of your connection.
Can DoH slow down my browsing?
Usually the impact is negligible and can even improve on the default ISP resolver. DoH adds a small amount of overhead from the HTTPS connection, but reputable providers use fast, globally distributed infrastructure, and connections are reused across many queries.
Why do some network administrators dislike DoH?
Because DoH bypasses local DNS-based controls. Organisations and schools often filter or monitor DNS for security, compliance, or content policies. When a device uses DoH to an external provider, those controls no longer apply, which is why managed networks may disable or override it.