Every time you type a website address into your browser, a DNS lookup happens in the background. By default, that lookup is sent completely unencrypted — meaning your ISP, your network administrator, or anyone monitoring the connection can see exactly which domains you’re visiting. DNS over HTTPS (DoH) fixes this.
How Traditional DNS Works (and Why It’s a Privacy Problem)
Standard DNS queries travel over UDP or TCP on port 53, completely unencrypted. When you type “examineip.com” into your browser:
- Your device sends a query to a DNS resolver (usually your ISP’s by default)
- The query contains the domain name you’re looking up — in plain text
- Anyone between you and the resolver — your ISP, Wi-Fi operator, an attacker on the same network — can read it
- The response comes back, also unencrypted
This means that even if the website you’re visiting uses HTTPS (so the content is encrypted), the fact that you visited it is still visible through DNS. This is what your ISP uses to build a picture of your browsing habits.
Read our deep dive: What is DNS and how does it work?
What Is DNS over HTTPS?
DNS over HTTPS (DoH) sends DNS queries through an encrypted HTTPS connection — the same encryption used for secure websites. The query is wrapped in HTTPS traffic on port 443, which means:
- Your ISP cannot see which domains you’re looking up
- Attackers on the same Wi-Fi network cannot intercept your DNS queries
- The DNS response cannot be tampered with (DNS spoofing is prevented)
- It’s indistinguishable from regular HTTPS traffic
DoH is different from DNS over TLS (DoT), which also encrypts DNS but uses a dedicated port (853) that’s easier for network admins to block.
Who Provides DNS over HTTPS?
Several major providers offer free DoH resolvers:
- Cloudflare:
https://cloudflare-dns.com/dns-query(1.1.1.1) — claims no logging, audited annually - Google:
https://dns.google/dns-query(8.8.8.8) — very fast, Google’s privacy policy applies - Quad9:
https://dns.quad9.net/dns-query(9.9.9.9) — blocks malicious domains, privacy-focused - NextDNS: Customizable DoH resolver with content filtering and analytics
How to Enable DNS over HTTPS
In Chrome
- Settings → Privacy and security → Security
- Scroll to “Use secure DNS”
- Select “With” and choose Google or Cloudflare (or enter a custom URL)
In Firefox
- Settings → Privacy & Security
- Scroll to “DNS over HTTPS”
- Select “Max Protection” and choose a provider
In Windows 11
- Settings → Network & internet → Wi-Fi (or Ethernet) → your network
- Under “DNS server assignment” click Edit
- Set DNS to Cloudflare or Google, enable “DNS over HTTPS”
On iPhone (iOS 14+)
Install a configuration profile from Cloudflare (1.1.1.1 app) or use a third-party app like DNSCloak.
Does DoH Replace a VPN?
No — and this is an important distinction. DoH only encrypts your DNS queries. Your actual web traffic still goes through your ISP’s network, so they can still see which IP addresses you connect to (even if they can’t see the domain names from DNS).
A VPN encrypts all your traffic — DNS queries, web requests, everything — and routes it through the VPN server’s IP address. It’s a more comprehensive solution. DoH and a VPN are complementary: DoH protects against DNS leaks even when your VPN might not handle DNS perfectly.
Speaking of DNS leaks — read our guide on what is a DNS leak and how to prevent it.
The Controversy: Centralization of DNS
DoH has critics, and their concern is legitimate. Standard DNS is decentralized — queries go to many different resolvers. With DoH, most browsers default to Cloudflare or Google, centralizing a huge portion of all DNS queries with just two companies. This shifts the privacy concern from thousands of ISPs to two large tech companies.
ISPs and enterprise IT administrators also object because DoH bypasses their ability to filter DNS at the network level — useful for parental controls, malware blocking, and compliance, but also used for censorship and surveillance.
Should You Enable DoH?
For most users, yes. The benefits — encrypted DNS, prevention of ISP snooping, resistance to DNS spoofing — outweigh the centralization concern, especially if you choose a privacy-focused provider like Cloudflare or Quad9 rather than Google.
If you use a VPN, check whether your VPN handles DNS automatically. Good VPNs route DNS through their own servers, effectively giving you encrypted DNS without needing to configure DoH separately. Check whether your VPN is leaking DNS with the ExamineIP DNS Checker.
Quick test: Use the DNS Checker tool to look up your own domain or a test domain. If Google DNS and Cloudflare return different results, your local DNS cache may have a stale entry.
Frequently Asked Questions
Does DoH make DNS faster?
Slightly slower in some cases due to the HTTPS overhead. However, major DoH providers (Cloudflare, Google) have extremely fast resolvers globally, so in practice the difference is imperceptible.
Can my employer block DoH?
Yes. On corporate networks, DoH can be blocked by a firewall that blocks connections to known DoH resolver IPs. This is why many enterprises disable DoH on managed devices — they need DNS queries to go through their own filtering systems.
Is DoH the same as a VPN?
No. DoH only protects DNS queries. A VPN encrypts all traffic and also hides your IP address. See: VPN vs proxy — which is safer?