The Problem DoH Solves: Plaintext DNS Queries
Traditional DNS sends queries and responses as unencrypted plaintext over UDP port 53. Every device on the network path between your computer and the DNS resolver — your router, your ISP, and any network observer — can read exactly which domain names you are querying. This means your ISP has a complete, real-time log of every website you attempt to visit, simply by monitoring your DNS traffic. In many countries, ISPs are legally permitted or required to retain this data, and in some jurisdictions it is sold to advertisers.
Beyond ISP surveillance, unencrypted DNS creates an attack surface. An attacker on the same network — a public Wi-Fi hotspot, for instance — can read your DNS queries, forge responses, and redirect you to malicious servers without your knowledge. DNS over HTTPS was standardized in RFC 8484 (2018) specifically to close this gap.
How DoH Works
DNS over HTTPS sends DNS queries as standard HTTPS requests to a resolver that exposes a /dns-query endpoint. The query is formatted as a DNS wire-format message, encoded as the body of an HTTP POST request (or as a base64url-encoded GET parameter), and sent over an encrypted TLS connection on port 443. The response arrives as an application/dns-message content type inside the same encrypted HTTPS channel.
From the network's perspective, DoH traffic is completely identical to ordinary HTTPS traffic to any website. The resolver's IP address is visible, but the content — the domain names being queried — is encrypted inside TLS. Modern DoH implementations use persistent HTTP/2 connections, which allow multiple DNS queries to be multiplexed over a single TLS session, minimizing the handshake overhead that might otherwise add latency.
Port 443 and Traffic Blending
The key architectural feature of DoH is its use of port 443, the standard HTTPS port. Because DoH traffic is indistinguishable from regular HTTPS to websites, it cannot be selectively blocked without also blocking all encrypted web traffic. This property is by design — it ensures DoH works even on networks that attempt to enforce specific DNS policies by blocking alternative DNS ports.
This same property is controversial in enterprise and network administration contexts. Corporate networks often use split-horizon DNS to resolve internal hostnames that are not accessible on the public internet. If browsers use DoH to bypass the corporate DNS resolver, internal hostnames fail to resolve. For this reason, enterprise browsers and operating systems typically allow administrators to disable or configure DoH centrally through policy management tools.
How to Enable DoH in Windows 11
Windows 11 supports DoH natively at the OS level. Go to Settings → Network & Internet → Wi-Fi (or Ethernet) → Hardware properties → DNS server assignment → Edit. Switch to Manual, enable IPv4, enter a DoH-capable resolver address (such as 1.1.1.1 for Cloudflare or 8.8.8.8 for Google), and set the DNS over HTTPS dropdown to Encrypted only. Windows will use DoH for all DNS lookups through that adapter. Note that Windows 11's DoH requires the resolver IP to be on Microsoft's approved list of known DoH providers, or you can add custom entries via PowerShell.
How to Enable DoH in Firefox and Chrome
Firefox has built-in DoH support configurable under Settings → Privacy & Security → DNS over HTTPS. Choose Default Protection (uses DoH with fallback to system DNS), Increased Protection (prefers DoH), or Max Protection (DoH only, no fallback). Firefox defaults to Cloudflare's endpoint (https://mozilla.cloudflare-dns.com/dns-query) but accepts any custom URL.
In Chrome, navigate to Settings → Privacy and Security → Security → Use secure DNS. Enable it and choose a provider from the list or enter a custom DoH endpoint URL. Chrome's DoH setting overrides the operating system DNS for queries originating from within the browser, independently of any system-level DNS configuration.
DoH and Corporate Networks
DoH can interfere with enterprise DNS configurations. Corporations often maintain internal DNS zones — hostnames like intranet.company.com that only resolve via the corporate DNS server. If a browser uses DoH to an external resolver, those internal names fail to resolve. Modern enterprise management platforms (Microsoft Intune, Google Workspace) can push policies that disable or redirect DoH on managed devices. If you use a work device, check with your IT department before enabling DoH, as it may break access to internal resources.
DoH Resolver Endpoints
Major public DNS providers publish DoH endpoints. Cloudflare's endpoint is https://1.1.1.1/dns-query (also accessible as https://cloudflare-dns.com/dns-query). Google's endpoint is https://dns.google/dns-query. Quad9's endpoint is https://dns.quad9.net/dns-query. NextDNS and AdGuard DNS provide unique per-account endpoints that apply your custom filtering configuration even over DoH. These URLs can be entered into any browser or application that supports custom DoH endpoints.
DoH vs DoT vs Plaintext DNS Comparison
| Protocol | Port | Encryption | Transport | Network Visibility | Browser Support | OS Support | Performance Overhead |
|---|---|---|---|---|---|---|---|
| Plaintext DNS | 53 | None | UDP / TCP | Fully visible | N/A (default) | All | Minimal |
| DNS over HTTPS | 443 | TLS 1.2 / 1.3 | HTTP/2 over TLS | Hidden (blends with HTTPS) | Chrome, Firefox, Edge | Windows 11, macOS (apps) | Low (persistent HTTP/2) |
| DNS over TLS | 853 | TLS 1.2 / 1.3 | TCP over TLS | Encrypted but identifiable | Limited | Android 9+, Linux | Low (persistent TCP) |
Frequently Asked Questions
Does DNS over HTTPS slow down browsing?
DNS over HTTPS adds a small amount of overhead compared to plaintext DNS because each query travels inside an HTTPS connection rather than a bare UDP packet. However, modern DoH implementations use persistent HTTP/2 connections, which amortize the TLS handshake cost across many queries. In practice, the latency difference is typically under 10 milliseconds per query and is imperceptible to most users. The privacy benefit far outweighs the negligible performance cost.
Can my ISP see my DNS queries if I use DoH?
No. DNS over HTTPS encrypts your DNS queries inside standard HTTPS traffic on port 443. Your ISP sees an encrypted connection to the DoH resolver's IP address but cannot read the query content — the domain names you are looking up are hidden. However, your ISP can still observe the IP addresses your device connects to after the lookup, and can see Server Name Indication (SNI) in TLS handshakes unless Encrypted Client Hello (ECH) is also in use. DoH closes the DNS visibility gap but does not make you fully anonymous.
How do I enable DoH in Chrome or Firefox?
In Chrome, go to Settings, then Privacy and Security, then Security, and find the Use secure DNS section. Enable it and select your preferred provider from the dropdown, or enter a custom DoH URL. In Firefox, go to Settings, then Privacy and Security, scroll to DNS over HTTPS, and select either Default Protection, Increased Protection, or Max Protection. Firefox defaults to Cloudflare's DoH endpoint but allows any custom resolver. Both browsers enable DoH per-browser, regardless of your operating system DNS settings.
Is DNS over HTTPS the same as a VPN?
No. DNS over HTTPS only encrypts your DNS queries — the lookups that translate domain names to IP addresses. A VPN encrypts all of your network traffic, including the actual data you send and receive, and also masks your IP address from the sites you visit. DoH does not hide your IP address from websites or encrypt your web traffic. It specifically prevents ISPs and network observers from seeing which domains you look up, which is a narrower but still meaningful privacy improvement.
Does DoH prevent DNS hijacking?
DNS over HTTPS prevents man-in-the-middle DNS hijacking — attacks where someone on the network path intercepts and forges DNS responses. Because the queries and responses are encrypted inside an authenticated HTTPS connection, an attacker cannot modify them in transit. However, DoH does not prevent local DNS hijacking (malware that changes your device's DNS configuration) or router hijacking (an attacker who controls your router and redirects DoH traffic to a malicious resolver). For those threats, DNSSEC and secure router management are the appropriate defenses.
What is the difference between DoH and DoT?
Both DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries, but they differ in how and where. DoH wraps queries inside standard HTTPS on port 443, making them indistinguishable from regular web traffic — network administrators cannot block DoH without also blocking all HTTPS. DoT uses a dedicated port 853, which makes it easy to identify, monitor, or block by network operators. DoH has broader browser support; DoT has broader OS and router support. Android's Private DNS feature implements DoT, not DoH.