Hostao Tools
🔒
Security

DNS over HTTPS (DoH) Explained: Privacy, Security, and Setup

📅 Feb 27, 20267 min read✍️ Hostao LLC

Traditional DNS queries are sent in plain text over UDP port 53. Anyone on the network path — your ISP, a coffee shop's Wi-Fi operator, or a malicious actor — can see which domains you are visiting and even redirect your queries. DNS over HTTPS (DoH) solves this by encrypting DNS queries inside HTTPS connections.

How Traditional DNS Exposes You

When you type a URL in your browser, your device sends a DNS query to your configured resolver (usually your ISP's). This query travels unencrypted across the network. This means:

  • Your ISP can see and log every domain you visit.
  • Network operators can intercept and modify DNS responses (DNS hijacking).
  • Attackers on the same network can redirect you to malicious sites (DNS spoofing).

What Is DNS over HTTPS?

DoH encapsulates DNS queries inside standard HTTPS requests to a DoH-compatible resolver. From a network perspective, DoH traffic looks identical to regular HTTPS web traffic on port 443. This provides two key benefits:

  • Encryption — DNS queries and responses are encrypted using TLS, preventing eavesdropping.
  • Authentication — The TLS certificate verifies you are communicating with the intended resolver, preventing man-in-the-middle attacks.

DoH vs DoT (DNS over TLS)

DNS over TLS (DoT) is an alternative that also encrypts DNS queries but uses a dedicated port (853). The key difference:

  • DoH (port 443) — Blends in with regular HTTPS traffic, making it harder to block. Preferred by browsers.
  • DoT (port 853) — Uses a dedicated port, making it easier for network administrators to identify and manage. Preferred by operating systems and enterprise environments.

Both provide equivalent encryption. The choice often comes down to whether you prioritize being hard to block (DoH) or easy to manage (DoT).

How to Enable DoH

In Your Browser

Firefox: Settings → Privacy & Security → DNS over HTTPS → Enable and select a provider (Cloudflare, NextDNS, etc.).

Chrome/Edge: Settings → Security → Use secure DNS → Select a provider.

Safari: Supports DoH through configuration profiles on macOS and iOS.

At the OS Level

Windows 11: Settings → Network → DNS → Select a server that supports encryption and enable DNS over HTTPS.

macOS: Use a configuration profile or a tool like dnscrypt-proxy for system-wide DoH.

Linux: Use systemd-resolved with DoT support, or install dnscrypt-proxy for DoH.

On Your Router

Some routers support DoH natively (OpenWrt, pfSense). This encrypts DNS for all devices on your network without per-device configuration.

Popular DoH Providers

  • Cloudflarehttps://cloudflare-dns.com/dns-query (1.1.1.1)
  • Googlehttps://dns.google/dns-query (8.8.8.8)
  • Quad9https://dns.quad9.net/dns-query (9.9.9.9, includes malware blocking)
  • NextDNS — Customizable filtering with DoH support

Concerns and Trade-offs

  • Centralization — DoH shifts DNS traffic from local ISPs to a few large providers, which some view as a centralization risk.
  • Enterprise visibility — DoH can bypass corporate DNS policies, which is why some organizations block it.
  • Performance — The HTTPS overhead adds a small latency cost to the first query, though connection reuse minimizes this for subsequent queries.

DoH is a significant privacy improvement for everyday internet users. If you are not already using encrypted DNS, enabling DoH in your browser is one of the simplest steps you can take to protect your browsing privacy.

Share this article

𝕏 TwitterLinkedInWhatsApp

Related Posts

🔒

DNS Security: DNSSEC Explained

8 min read

🌐

What Are Nameservers and How Do They Work?

7 min read

🔧

How to Change Nameservers: A Step-by-Step Guide

8 min read