DNS over HTTPS (DoH): What It Is and How to Enable It

Standard DNS queries travel over UDP or TCP on port 53 in plaintext. Anyone on the network path, your ISP, a router, a network monitoring device, can see every domain you look up. DNS over HTTPS (DoH) encrypts those queries inside standard HTTPS connections, making them indistinguishable from ordinary web traffic and invisible to passive observers.

The Problem with Standard DNS

Every website you visit starts with a DNS lookup. Before your browser connects to a server, it asks a resolver: "what's the IP for this domain?" That query, and the response, travels in plaintext by default. Your ISP logs every domain you look up. Public Wi-Fi operators can see your browsing habits at the DNS level. Attackers on a shared network can observe or manipulate your DNS queries.

This is true even if the websites you visit use HTTPS. DNS happens before the HTTPS connection is established, and it's entirely unprotected by the TLS encryption of the web session itself.

What DoH Changes

DNS over HTTPS wraps DNS queries inside HTTPS requests sent to a DoH resolver endpoint. The query goes out on port 443 alongside ordinary web traffic. To anyone monitoring the network, it looks like normal HTTPS, they can see you're connecting to the resolver (e.g. Cloudflare's 1.1.1.1), but not what DNS queries you're making.

DoH protects against:

• ISP logging of every domain you visit.
• DNS manipulation by network operators, changing responses to redirect traffic or block sites.
• Passive surveillance on public Wi-Fi networks.
• DNS-based content filtering imposed by network administrators (which some users legitimately want to bypass).

DoH does not hide what IP addresses you subsequently connect to. Your ISP can still see those. For complete traffic privacy you'd need a VPN or Tor on top of DoH.

DoH vs DNS over TLS (DoT)

DoT is the other major encrypted DNS protocol. Both encrypt DNS traffic, but they differ in how:

• DoT uses TLS on port 853. Easier to identify (a dedicated port), and therefore easier for network admins to allow or block specifically.
• DoH uses HTTPS on port 443. Blends with web traffic and is much harder to block without also blocking all HTTPS, which is impractical for most networks.

For end users, DoH is generally more practical: it's natively supported by major browsers, harder for restrictive networks to block, and available from the same providers. DoT is more appropriate for system-level implementations where network admins want to explicitly allow encrypted DNS while being able to monitor or filter it.

How to Enable DoH in Chrome

1. Go to Settings (three-dot menu > Settings).
2. Click Privacy and security > Security.
3. Under Advanced, find Use secure DNS.
4. Toggle it on and select With from the dropdown.
5. Choose a provider from the list, or select Custom and enter a DoH URL.

Common DoH resolver URLs:

How to Enable DoH in Firefox

1. Go to Settings (hamburger menu > Settings).
2. Scroll to the Network Settings section at the bottom and click Settings.
3. Check Enable DNS over HTTPS.
4. Choose a provider. Firefox defaults to Cloudflare but accepts a custom URL.
5. Click OK.

Firefox has supported DoH since 2020 and was one of the first browsers to enable it by default for US users.

How to Enable DoH System-Wide on Windows 11

Browser-level DoH only protects DNS queries made by that browser. Other applications (email clients, terminal tools, other browsers) still use the system DNS. To cover all traffic, configure DoH at the OS level.

1. Go to Settings > Network & internet.
2. Select your active network connection (Wi-Fi or Ethernet) > Hardware properties.
3. Click Edit next to DNS server assignment.
4. Switch to Manual.
5. Under IPv4, enter a DoH-capable resolver IP (e.g. 1.1.1.1).
6. Set the DNS over HTTPS dropdown to On (automatic template), or enter the DoH URL manually.
7. Repeat for the secondary DNS (e.g. 1.0.0.1).
8. Click Save.

How to Enable DoH System-Wide on macOS

macOS doesn't have a built-in DoH setting as of Sonoma. Options include:

• Cloudflare's 1.1.1.1 app: a free macOS application that configures DoH at the system level with Cloudflare's resolver. Simple one-click setup.
• Configure via mobileconfig profile: Apple's configuration profile format supports DNS settings including DoH. Enterprise deployment tools use this method.
• Third-party tools like NextDNS (which also offers custom filtering alongside DoH).

The Trade-offs and When Not to Use It

Enabling DoH shifts your DNS queries from your ISP's resolver to a DoH provider. You're trading ISP visibility for the DoH provider's visibility. Cloudflare (1.1.1.1) and Google (8.8.8.8) both publish privacy policies stating they don't log or sell query data, but that's a policy commitment rather than a technical guarantee.

On corporate or managed networks, DoH can bypass DNS-based security controls intentionally applied by the IT team, content filtering, malware domain blocking, and network monitoring tools that rely on DNS visibility. Check with your IT department before enabling DoH on work devices or company networks. Most enterprise security teams have legitimate reasons for controlling DNS resolution.

For home users and personal devices, DoH is a clear privacy improvement with minimal downsides.