Home
My IP
GPS
Find Me
Your Location
4๏ธโƒฃIPv4: โ€”
๐Ÿ“...
6๏ธโƒฃIPv6: โ€”
๐ŸŒ...
๐Ÿข...
๐Ÿ“Œ...
Privacy & Security10 min read

DNS Over HTTPS (DoH): What It Is and How to Enable It

Every DNS lookup you make is sent in plain text by default. DNS over HTTPS encrypts those queries, preventing ISP snooping, DNS hijacking, and network-level censorship.

By WhatIsMyLocation TeamยทUpdated July 1, 2026
DNS Over HTTPS (DoH): What It Is and How to Enable It

Summarise this article with:

TL;DR
Every time you visit a website, your device sends a DNS query in plain text over UDP port 53, exposing every domain you look up to your ISP and anyone on your local network. DNS over HTTPS (DoH) fixes this by encrypting those queries inside standard HTTPS traffic on port 443. Enabling it takes under a minute in Chrome, Firefox, or Edge, and it works on Windows, macOS, Android, and iOS too.

What Does DNS Over HTTPS Actually Do?

DNS over HTTPS (DoH) encrypts the domain-name lookups your device makes constantly in the background, so your ISP, public Wi-Fi operator, or anyone else monitoring your network cannot read which sites you visit. Without it, every website name you look up travels as plain, readable text over UDP port 53, even when the site itself is HTTPS. DoH wraps those queries in the same encrypted HTTPS tunnel that protects your banking and shopping, tunneling them over port 443.

Compare resolver answers before and after enabling DoH
Compare resolver answers before and after enabling DoH

Why Plain DNS Is a Privacy Problem

When you type a domain into your browser, your device fires off a DNS query before any HTTPS connection starts. That query travels unencrypted. Anyone with visibility into your network sees it:

  • Your ISP logs every domain you look up and, in many countries, can sell that data to advertisers.
  • Anyone on your local network (a coffee shop, hotel, airport) can read your DNS traffic with basic packet capture.
  • Attackers can tamper with responses (DNS hijacking) to redirect you to fake sites, even on networks you trust.
  • Governments and organizations use DNS interception as the primary mechanism for web filtering and censorship.

HTTPS protects the content of your visits. Plain DNS reveals the guest list. DoH closes that gap.

Plain DNS vs DoT vs DoH

There are three ways your DNS queries can travel:

Plain DNSDoTDoH
Port53 (UDP/TCP)853 (TCP)443 (TCP)
EncryptionNoneTLSTLS inside HTTPS
VisibilityFully readableEncrypted but identifiable by portBlends with all HTTPS traffic
BlockableNoYes, by filtering port 853Difficult without blocking all HTTPS
Browser supportDefault everywhereLimitedExcellent
OS-level supportDefault everywhereAndroid, Linux, macOS (profile)Windows 11, macOS (profile)
PerformanceFastestSlightly faster than DoHNegligible overhead for most users

DNS over TLS (DoT) uses a dedicated port, which means network administrators can identify and filter it easily, and in some regions it is routinely blocked. DoH uses port 443 alongside every other HTTPS request, making selective blocking far harder. For most personal use, DoH is the better choice. DoT has a place in enterprise environments where IT teams want to allow encrypted DNS while still monitoring it at the network edge.

If you want to see what your current DNS setup looks like from the outside, run our DNS Leak Test before and after you make changes.

How to Enable DoH on Every Platform

Google Chrome

  1. Open Chrome and go to Settings.
  2. Navigate to Privacy and security > Security.
  3. Scroll to Advanced and enable Use secure DNS.
  4. Select With: Customized and pick a provider (Cloudflare, Google, Quad9, NextDNS, or a custom URL).

Chrome ships with five DoH providers pre-configured. "With your current service provider" only works if your ISP or DNS resolver supports DoH and Chrome recognizes it.

Mozilla Firefox

  1. Open Settings and scroll to Privacy & Security.
  2. Under DNS over HTTPS, choose your protection level:

- Increased Protection: tries DoH first, falls back to system DNS if the DoH server is unreachable. Better for travel, where captive portals (hotel or airport login pages) need plain DNS to redirect you.

- Max Protection: all DNS queries must go through DoH. Shows an error page if the DoH resolver fails. Use this at home if you want the strongest guarantee.

  1. Select a provider from the dropdown.

Firefox was the first major browser to ship DoH and still offers the most granular control over protection levels.

Microsoft Edge

  1. Open Settings > Privacy, search, and services.
  2. Scroll to Security and enable Use secure DNS to specify how to look up the network address for websites.
  3. Choose a provider or enter a custom DoH URL.

Safari

Safari has no built-in DoH toggle. Configure it at the OS level using the macOS or iOS steps below.

Windows 11

  1. Open Settings > Network & internet.
  2. Click your active connection (Wi-Fi or Ethernet).
  3. Click Hardware Properties, then click Edit next to DNS server assignment.
  4. Switch to Manual, flip IPv4 on, and enter your DNS servers:

- Cloudflare: 1.1.1.1 (primary), 1.0.0.1 (secondary)

- Google: 8.8.8.8 (primary), 8.8.4.4 (secondary)

  1. Set DNS over HTTPS to On (automatic template).
  2. Click Save.

Note: simply entering the IP addresses without toggling the DoH switch sends those queries in plain text. The encrypted label only appears once you explicitly enable the DoH toggle.

macOS

macOS does not expose a DoH toggle in System Settings. Entering a DNS IP address under Network preferences sends queries unencrypted. For true system-wide DoH, you need to install a .mobileconfig configuration profile.

The easiest path: download a signed profile from your DNS provider (Cloudflare's setup page at one.one.one.one offers one) or use a community repository such as paulmillr/encrypted-dns on GitHub. After downloading, open it in Safari and go to System Settings > Privacy & Security > Profiles to install. The profile applies to all networks by default.

Android

Android 9 and later supports Private DNS using DNS over TLS system-wide:

  1. Open Settings > Network & internet > Private DNS.
  2. Select Private DNS provider hostname.
  3. Enter one.one.one.one (Cloudflare) or dns.google (Google).
  4. Tap Save.

In my testing, Android's "Strict Mode" Private DNS is reliable and covers all apps, not just the browser. Android 13 and later also adds DoH support in some configurations, but the DoT path via Private DNS remains the simpler, universally available option. Verify it worked by visiting 1.1.1.1/help after enabling, which shows whether DoT is active.

iOS and iPadOS

iOS 14 and later supports system-wide encrypted DNS via configuration profiles:

  1. Download a .mobileconfig profile from your DNS provider in Safari (Cloudflare's profile is available at one.one.one.one).
  2. Go to Settings > General > VPN & Device Management.
  3. Tap the downloaded profile and follow the prompts to install it.

Once installed, the profile overrides per-network DNS settings across Wi-Fi and cellular, covering all apps without a VPN.

Linux (systemd)

For Ubuntu 22.04 and later, Fedora, and other systemd distributions, edit the resolver config:

sudo nano /etc/systemd/resolved.conf

Add or modify:

[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes

Then restart:

sudo systemctl restart systemd-resolved

This enables DoT. For DoH specifically on Linux, a local proxy like cloudflared or dnscrypt-proxy is the more reliable path.

Choosing a DoH Provider

ProviderPrimary DNSDoH URLNotes
Cloudflare1.1.1.1cloudflare-dns.com/dns-queryIndependently audited, fastest on most benchmarks
Google8.8.8.8dns.google/dns-querySource IPs anonymized after 24-48 hours
Quad99.9.9.9dns.quad9.net/dns-queryNon-profit, no-logs, blocks known malicious domains
NextDNSCustomnextdns.ioConfigurable ad blocking and logging
Mullvad194.242.2.2dns.mullvad.net/dns-queryNo-logs, ad and tracker blocking

My rule: use Cloudflare for most setups. Independent audits confirm they do not write querying IP addresses to disk alongside DNS queries, and source IPs are anonymized and deleted within 25 hours. On global benchmarks, 1.1.1.1 consistently posts median response times around 11-15 ms, ahead of most alternatives. If ad and tracker blocking at the DNS level matters to you, Quad9 or NextDNS are worth the slight setup overhead.

One honest caveat: all DoH providers do see your query content, even if they claim not to log it. DoH shifts trust from your ISP to your chosen resolver. Pick one whose privacy policy and audit history you find credible.

Verifying DoH Is Working

After enabling DoH, confirm it is actually running:

  1. Use our DNS Leak Test to check whether your queries are leaving through your chosen resolver or leaking to your ISP's servers.
  2. Visit 1.1.1.1/help if using Cloudflare to confirm DoH or DoT is active.
  3. Check Cloudflare's Encrypted SNI test page for a broader picture of your browser's security posture.

If the leak test still shows your ISP's nameservers, your browser's DoH setting may have defaulted back to system DNS, or a network policy is overriding it.

You can also inspect what DNS server your browser is resolving names against using the DNS Lookup tool, which can help you verify that responses are coming from the right resolver.

What DoH Does Not Fix

DoH is one layer, not a complete solution. It hides which domains you look up, but the DNS resolver you choose still sees every query. The website's IP address you connect to is also visible via SNI (Server Name Indication) in the TLS handshake, though Encrypted Client Hello (ECH) is reducing that exposure in modern browsers.

Websites also track you through cookies, browser fingerprinting, referrer headers, and login sessions. For a meaningful step up in overall privacy, pair DoH with a reputable VPN and check whether your browser is leaking more identifiers than you think via our Browser Fingerprint tool.

Enterprise IT teams should be aware that DoH bypasses network-level DNS monitoring. Organizations that rely on DNS for security filtering (malware detection, acceptable-use enforcement) typically configure browsers or endpoint policies to use their own internal DoH resolvers rather than public ones.

Frequently Asked Questions

Does DNS over HTTPS make me anonymous online?

No. DoH encrypts your DNS queries so your ISP and local network observers cannot see which domains you look up, but it does not hide your IP address, your browsing habits from the website itself, or your queries from the DoH resolver you use. It is a privacy improvement, not anonymity.

Will enabling DoH slow down my browsing?

The HTTPS connection to a DoH resolver adds a small amount of overhead on the first query, typically in the range of 10-50 milliseconds. After that, the connection is reused and subsequent queries are fast. In practice, most users do not notice any difference, and a fast resolver like Cloudflare can actually be quicker than a slow ISP resolver.

What is the difference between DoH and DoT?

Both encrypt DNS queries. DoH (DNS over HTTPS) sends queries over port 443, blending with normal web traffic and making it hard to block without blocking the entire web. DoT (DNS over TLS) uses a dedicated port 853, which is easier for network administrators to identify, manage, and selectively block. For home use, DoH is more practical. For enterprise environments where controlled, visible encrypted DNS is needed, DoT is often preferred.

Can my ISP still track me if I use DoH?

Your ISP can no longer read your DNS queries when DoH is active. However, they can still see the IP addresses you connect to and the timing of your traffic, which can infer browsing patterns. They also see your traffic before it reaches the DoH resolver. For more complete ISP privacy, a VPN encrypts your full traffic stream at the network level.

Does DoH work on mobile data (cellular)?

Yes. On Android, enabling Private DNS applies system-wide to both Wi-Fi and cellular connections. On iOS, an installed .mobileconfig profile also covers cellular. Browser-level DoH in Chrome or Firefox applies to that browser's DNS queries regardless of connection type.

How do I know if my DNS is leaking despite DoH being enabled?

Run our DNS Leak Test. If the result shows your ISP's DNS servers instead of Cloudflare, Google, or whichever resolver you configured, DoH is not active for that traffic. Common causes: the browser setting was not saved, the OS has a group policy overriding it, or you are on a network that intercepts port 443 traffic through a proxy. Check the DNS Lookup tool as a secondary confirmation to see which nameservers respond to a query.

Sources

Want the full interactive guide?
What Is DNS? Interactive Guide โ†’
W

WhatIsMyLocation Team

Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.

Related Articles

Try Our Location Tools

Find your IP address, GPS coordinates, and more with our free tools.