What is DNS over HTTPS?
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them inside standard HTTPS connections instead of as unencrypted plaintext. Every time you type a website address, your device asks a DNS server to translate that domain name into an IP address. Traditionally, this request travels in the clear, meaning your ISP, network administrator, or anyone on the same Wi-Fi network can see exactly which websites you are requesting. DoH wraps those queries in the same HTTPS encryption that protects your banking and shopping sessions, making your browsing habits invisible to third-party observers.
In-Depth
The Privacy Problem with Traditional DNS
Standard DNS uses UDP port 53 with no encryption. When you visit “example.com,” your computer sends a plaintext request to a DNS resolver that says, effectively, “What is the IP address of example.com?” Anyone monitoring the network – a coffee-shop eavesdropper, a corporate firewall, or your ISP – can log every domain you look up. This metadata reveals your browsing patterns even when the websites themselves use HTTPS. A VPN encrypts all traffic including DNS, but DoH provides a lighter-weight, DNS-specific solution that works without the overhead of a full VPN tunnel.
DoH vs. DoT (DNS over TLS)
DoH is not the only DNS encryption protocol. DNS over TLS (DoT) achieves the same goal but uses a dedicated port (853) with TLS encryption. The practical difference:
- DoH (port 443): Uses the same port as all HTTPS web traffic, making it indistinguishable from normal browsing. Difficult for network administrators to block without breaking web access entirely.
- DoT (port 853): Uses a distinct, identifiable port that is easier for firewalls to detect and block.
Major browsers – Chrome, Firefox, Edge, Brave, and Safari – have adopted DoH as their preferred DNS encryption method because of its resistance to blocking and its seamless integration with the existing web stack.
Performance Impact
A common concern is whether encrypting DNS adds latency. In practice, the overhead is minimal. The initial HTTPS handshake takes a fraction of a second, and subsequent queries reuse the connection (HTTP/2 multiplexing), making them as fast as or faster than traditional DNS over UDP. Measurements by Cloudflare and Google show that DoH latency is comparable to conventional DNS in most network conditions. In some cases, switching to a high-performance DoH provider like Cloudflare (1.1.1.1) actually speeds up DNS resolution compared to a slow ISP resolver, because the provider’s infrastructure is geographically closer to most users.
How to Enable DoH
Enabling DoH is simple:
- In your browser: Open Settings, navigate to Privacy or Security, find “Use secure DNS” or “DNS over HTTPS,” and select a provider (Cloudflare, Google, Quad9, etc.).
- At the OS level: Windows 11, macOS, iOS, and Android all support system-wide DoH. In your network or DNS settings, enter a DoH-compatible server address and enable the encryption option.
- On your router: Some routers support DoH or DoT, encrypting DNS for every device on your network without per-device configuration.
Considerations and Limitations
DoH is not a silver bullet for privacy. It encrypts the DNS query, but the IP address you subsequently connect to is still visible to your ISP and network operator (unless you also use a VPN). Additionally, Server Name Indication (SNI) in the TLS handshake can reveal the hostname you are connecting to; Encrypted Client Hello (ECH) is an emerging standard that addresses this. Some enterprise networks and parental-control systems rely on inspecting DNS queries to enforce policies. Enabling DoH on a corporate network may bypass security controls, so check with your IT department before enabling it on a work device.
How to Choose
1. Start with Your Browser
The fastest way to get DoH protection is to enable it in your browser’s settings. It takes about 30 seconds, requires no software installation, and immediately encrypts all DNS lookups made by that browser.
2. Pick a Trustworthy DNS Provider
When you use DoH, you are trusting the DNS provider with your query data. Choose carefully:
- Cloudflare (1.1.1.1): Commits to not selling data and purging query logs within 24 hours. Independently audited.
- Google Public DNS (8.8.8.8): Extremely fast and reliable; logs are anonymized but retained for limited analytics.
- Quad9 (9.9.9.9): Security-focused; blocks known malicious domains automatically.
Review each provider’s privacy policy and choose the one whose data practices align with your comfort level.
3. Combine with a VPN for Full Protection
DoH encrypts only DNS queries – it does not hide your IP address or encrypt the rest of your traffic. For comprehensive privacy on public Wi-Fi or in restrictive network environments, pair DoH with a VPN. Together, they cover both the “what site are you visiting” question (DoH) and the “what are you doing there” question (VPN).
DoH Adoption and Industry Momentum
DoH has gained rapid adoption since its introduction. Firefox was the first major browser to enable DoH by default (in the US), followed by Chrome, Edge, and Brave. Apple added system-wide DoH support in iOS 14 and macOS Big Sur. Windows 11 supports DoH natively in network settings. This broad adoption means that enabling DoH is no longer an advanced technical task – it is a mainstream feature supported by every major platform. The trend toward encrypted DNS is clear and irreversible, driven by both user demand for privacy and industry consensus that unencrypted DNS is a liability.
The Bottom Line
DNS over HTTPS is one of the easiest and most impactful privacy upgrades you can make. By encrypting the DNS queries that reveal which websites you visit, DoH closes a long-standing gap in internet privacy – and it takes less than a minute to enable. Choose a reputable DNS provider, turn on DoH in your browser or operating system, and consider layering a VPN on top for full-spectrum protection. It is a small change with a meaningful payoff.