The Problem with Traditional DNS
When you type a domain name into your browser, your device sends a DNS query to resolve it to an IP address. By default, this query is sent in plain text over UDP port 53 — completely unencrypted. Anyone who can observe your network traffic — your ISP, network administrators, or a man-in-the-middle attacker — can see every domain name you look up.
This is a serious privacy problem. Even if you use HTTPS for all your web browsing (which encrypts the content of your requests), your DNS queries still expose which domains you're visiting. Your ISP can build a detailed profile of your browsing habits purely from DNS data, and in many countries, ISPs are legally required to retain and share this data.
Run a DNS leak test right now to see exactly which resolver is handling your queries and whether your DNS traffic might be exposed. The results will show you precisely which organizations can see your browsing activity.
- Standard DNS uses UDP port 53 with no encryption
- Anyone on your network path can read your DNS queries
- Your ISP sees every domain you look up
- DNS surveillance happens even over HTTPS connections
What Is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH), defined in RFC 8484, solves the plaintext DNS problem by sending DNS queries inside normal HTTPS traffic. Instead of using UDP port 53, DoH sends queries as HTTPS requests to port 443 — the same port used for all secure web browsing.
The benefits are significant:
- Encryption: DNS queries are encrypted with TLS, making them unreadable to anyone intercepting your traffic.
- Authenticity: HTTPS certificates verify you're talking to the real DNS resolver, not an impersonator.
- Traffic blending: DoH traffic looks identical to normal HTTPS traffic, making it difficult for ISPs or firewalls to block or filter.
- Tamper resistance: Encrypted queries can't be modified in transit, protecting against injection attacks.
A closely related protocol, DNS over TLS (DoT), uses TCP port 853 for encrypted DNS. DoT provides similar privacy but is easier for network administrators to identify and block. DoH is generally preferred for consumer use because it's harder to filter.
Test Your DNS Privacy Right Now
Our DNS leak test reveals which servers can see your browsing activity
Hide My IP NowHow to Enable DoH in Your Browser and OS
DoH support is now built into all major browsers and operating systems. Here's how to enable it:
Google Chrome:
- Go to Settings → Privacy and security → Security.
- Under "Advanced", enable "Use secure DNS".
- Choose a provider (Cloudflare, Google, NextDNS) or enter a custom DoH URL.
Mozilla Firefox:
- Go to Settings → Privacy & Security.
- Scroll to "DNS over HTTPS".
- Select "Max Protection" or "Increased Protection" and choose a provider.
Windows 11: Go to Settings → Network & Internet → [your network] → DNS server assignment and edit it to use an encrypted DNS provider.
macOS Ventura+: Use a configuration profile or a DNS client app that supports DoH. Apple doesn't expose a system-wide DoH toggle in the UI, but iOS and macOS do support it via profiles from providers like Cloudflare's 1.1.1.1 app.
After enabling DoH, run our DNS leak test to verify your queries are being handled by your chosen encrypted resolver.
DoH Providers: Which to Use?
Choosing the right DoH provider is important — you're trusting them with your DNS queries. Here are the main options:
Cloudflare (1.1.1.1):
DoH URL: https://cloudflare-dns.com/dns-query
Cloudflare promises not to log IP addresses and has independent audits to verify. It's consistently the fastest resolver globally. Their 1.1.1.1 app enables DoH system-wide on iOS and Android.
Google Public DNS (8.8.8.8):
DoH URL: https://dns.google/dns-query
Reliable and fast, but Google does collect some data for security and diagnostics. Less privacy-focused than Cloudflare or NextDNS.
NextDNS:
DoH URL: https://dns.nextdns.io/[your-id]
A customizable, privacy-first DNS with built-in DNS filtering for ads and malware. Free tier available with query limits; paid plans for unlimited use.
Quad9 (9.9.9.9):
DoH URL: https://dns.quad9.net/dns-query
Non-profit operated, blocks malware domains, strong privacy policy. A good choice for users who want both privacy and security filtering without setting up a full DNS filter.
See our full comparison of best public DNS servers for speed benchmarks and detailed policy comparisons.
Controversies and Limitations of DoH
Despite its benefits, DoH has faced criticism from some network professionals and organizations:
Centralization concerns: When everyone uses a handful of large DoH providers, it concentrates enormous DNS visibility (and potential control) in those providers. A single outage at Cloudflare or Google affects millions of users.
Network management bypass: Corporate IT departments, schools, and parental control systems often rely on DNS to enforce policies. DoH bypasses these controls by encrypting DNS queries. Enterprises can disable browser DoH via group policy, but it's an ongoing arms race.
Doesn't protect all traffic: DoH in a browser only encrypts DNS for that browser's traffic. Other applications on the system still use the system resolver unless you configure DoH at the OS level. Use our DNS leak test to check for leaks from non-browser traffic.
SNI leakage: Even with DoH, the Server Name Indication (SNI) field in TLS handshakes can reveal the domain you're connecting to. Encrypted Client Hello (ECH) is the emerging solution to this problem.
Despite these limitations, DoH is a meaningful privacy improvement for most users. Combined with a VPN, it significantly reduces the amount of browsing data exposed to third parties.
Frequently Asked Questions
Does DNS over HTTPS make me anonymous?
No, DoH protects your DNS queries from surveillance but doesn't make you anonymous. Your IP address is still visible to websites you visit, and your DoH provider can still see which domains you query. For greater anonymity, combine DoH with a VPN, and verify your setup with a <a href="/dns-leak-test">DNS leak test</a>.
What is the difference between DoH and DoT?
Both encrypt DNS queries, but they use different methods. DNS over HTTPS (DoH) sends queries over HTTPS on port 443 — blending with normal web traffic. DNS over TLS (DoT) uses dedicated port 853. DoH is harder to block; DoT is easier for network admins to identify and manage.
Will DoH slow down my browsing?
The performance impact is minimal. DoH does add slight overhead due to the HTTPS connection, but modern implementations use persistent connections that amortize this cost. Fast providers like Cloudflare 1.1.1.1 often resolve queries faster than your ISP's default resolver despite the encryption.
Can my ISP still see what sites I visit with DoH enabled?
Your ISP can no longer see your DNS queries with DoH enabled, but they can still see the IP addresses you connect to via your traffic metadata. For sites on shared hosting or CDNs, this reveals less than you might think, but it's not a complete solution. A VPN covers this remaining gap.
