DoH

Traditional DNS sends queries in plaintext over UDP port 53. Anyone on the network path — your ISP, your employer's IT team, public WiFi operators, governments — can read which sites you are looking up and log the data, even when those sites themselves use HTTPS. DoH closes this gap by encapsulating DNS queries inside an HTTPS request to a DoH-compatible resolver on port 443, making the DNS traffic indistinguishable from any other web traffic on the wire.

How DoH works on the wire

A DoH client formats a standard DNS query (a binary DNS packet) and submits it as the body of an HTTPS POST request, or as a base64url-encoded query string parameter on an HTTPS GET request, to the resolver's well-known DoH endpoint. The resolver processes the DNS query normally and returns the DNS response as the HTTP response body, with content type application/dns-message. RFC 8484 specifies the protocol.

To a passive network observer, the only visible information is that the client connected to a particular IP on port 443. The hostname the client queried, the IP it received in the response, and the resolver's identity are all hidden by the TLS encryption.

Popular DoH resolvers

DoH vs DoT

Two competing encrypted DNS protocols exist. DoH (RFC 8484, 2018) runs over HTTPS port 443. DoT (DNS over TLS, RFC 7858, 2016) runs over a dedicated TLS connection on port 853. Technically both achieve the same encryption goal, but operationally they differ:

• Visibility: DoT uses a dedicated port; network observers can see and block DoT traffic by port number. DoH on port 443 is indistinguishable from regular HTTPS without traffic analysis.
• Browser integration: Browsers natively support DoH; DoT requires OS-level configuration.
• Performance: Comparable. DoT can be slightly faster due to lower overhead; DoH benefits from HTTP/2 connection reuse for back-to-back queries.
• Censorship resistance: DoH is harder to block in environments that restrict DNS encryption.

How browsers handle DoH

Major browsers ship with DoH support and default resolvers:

• Firefox enables DoH by default in many regions, using Cloudflare or NextDNS based on Mozilla's Trusted Recursive Resolver program. Configurable per profile.
• Chrome and Edge use "Auto-upgrade DNS" — if the user's current DNS resolver is on a known list (Cloudflare, Google, Quad9, etc.), the browser silently upgrades to DoH against the same provider. The user does not change DNS settings; the browser just stops sending plaintext queries.
• Safari supports DoH via system-level DNS configuration; per-app configuration via Network Extension.

This per-browser DoH bypasses the operating system's resolver and any DNS settings configured at the router. For administrators, this can be a problem: router-level content filtering and DNS-based parental controls become invisible to the browser. Enterprises often disable browser DoH via group policy or DNS-NXDOMAIN responses to canary domains.

Privacy trade-offs

DoH improves privacy from network observers but shifts trust to the resolver operator:

• Your ISP no longer sees individual DNS queries.
• The DoH resolver (Cloudflare, Google, etc.) sees every query you make.
• Subsequent HTTPS connections to the looked-up domains still expose the destination IP to network observers, who can sometimes infer the site from the IP.
• SNI (Server Name Indication) in TLS handshakes still leaks the hostname to observers unless ECH (Encrypted Client Hello) is also in use.

For comprehensive privacy from network observers, DoH should be combined with ECH and an encrypted transport like a VPN. DoH alone is one layer.

When DoH might cause problems

• Captive portals. Hotel and airport WiFi often require DNS hijacking to redirect users to a login page. DoH bypasses this and the user may see "no internet" errors. Browsers detect this scenario and fall back to plain DNS for portal detection.
• Split DNS. Corporate networks often have internal domains resolved only by internal DNS. DoH against a public resolver fails for these names. Browsers and operating systems support "DoH exceptions" listing internal domains.
• Parental controls. Router-based filtering (OpenDNS Family, Cleanbrowsing, Pi-hole) relies on intercepting DNS. DoH at the browser level bypasses it.
• Compliance logging. Some regulatory regimes require DNS query logging at the network edge. DoH defeats this; affected organizations disable browser DoH and centralize encrypted DNS at the network edge.

Frequently Asked Questions

What is the difference between DoH and DoT?

DoH runs DNS queries over HTTPS (port 443) — the same port as regular web traffic, making the queries indistinguishable from any other HTTPS request. DoT (DNS over TLS) runs DNS over a dedicated TLS connection on port 853. Both encrypt the DNS query the same way; the difference is which port and protocol layer. DoH is harder to block because blocking it requires distinguishing DNS lookups from regular web traffic; DoT is easier to identify and block. Browsers like Chrome, Firefox, and Edge support DoH natively.

Does DoH actually improve privacy?

Partially. DoH prevents your ISP and local network observers from seeing your DNS queries — so they cannot easily log which sites you visit via DNS. However, the resolver you send DoH queries to (Cloudflare, Google, your ISP, etc.) still sees every query. DoH shifts trust from your ISP to the resolver operator. It also does not hide the destination IP of subsequent HTTPS connections, so a sophisticated observer can still infer which sites you visit by watching connection metadata.

Can my ISP still block DoH?

Some can, by blocking known DoH resolver hostnames or IPs. However, this is harder than blocking plain DNS because DoH traffic is encrypted and visually identical to any other HTTPS request. Some ISPs and corporate networks block specific DoH resolvers (1.1.1.1, dns.google) at the firewall to force users back to ISP DNS. In response, browsers often have fallback behavior: try DoH first, fall back to local DNS if blocked.

Should I enable DoH at home?

For most users, yes — it provides privacy from your ISP at minimal performance cost. Modern browsers (Chrome, Firefox, Edge) enable DoH automatically when they detect a compatible resolver. The trade-off is that DoH bypasses your router's DNS settings — so if you use parental controls or content filtering at the router level, DoH at the browser level can defeat them. Some operators disable browser DoH for this reason.