
Summarise this article with:
What Does DNS Over HTTPS Actually Do?
DNS over HTTPS (DoH) encrypts the domain-name lookups your device makes constantly in the background, so your ISP, public Wi-Fi operator, or anyone else monitoring your network cannot read which sites you visit. Without it, every website name you look up travels as plain, readable text over UDP port 53, even when the site itself is HTTPS. DoH wraps those queries in the same encrypted HTTPS tunnel that protects your banking and shopping, tunneling them over port 443.

Why Plain DNS Is a Privacy Problem
When you type a domain into your browser, your device fires off a DNS query before any HTTPS connection starts. That query travels unencrypted. Anyone with visibility into your network sees it:
- Your ISP logs every domain you look up and, in many countries, can sell that data to advertisers.
- Anyone on your local network (a coffee shop, hotel, airport) can read your DNS traffic with basic packet capture.
- Attackers can tamper with responses (DNS hijacking) to redirect you to fake sites, even on networks you trust.
- Governments and organizations use DNS interception as the primary mechanism for web filtering and censorship.
HTTPS protects the content of your visits. Plain DNS reveals the guest list. DoH closes that gap.
Plain DNS vs DoT vs DoH
There are three ways your DNS queries can travel:
| Plain DNS | DoT | DoH | |
|---|---|---|---|
| Port | 53 (UDP/TCP) | 853 (TCP) | 443 (TCP) |
| Encryption | None | TLS | TLS inside HTTPS |
| Visibility | Fully readable | Encrypted but identifiable by port | Blends with all HTTPS traffic |
| Blockable | No | Yes, by filtering port 853 | Difficult without blocking all HTTPS |
| Browser support | Default everywhere | Limited | Excellent |
| OS-level support | Default everywhere | Android, Linux, macOS (profile) | Windows 11, macOS (profile) |
| Performance | Fastest | Slightly faster than DoH | Negligible overhead for most users |
DNS over TLS (DoT) uses a dedicated port, which means network administrators can identify and filter it easily, and in some regions it is routinely blocked. DoH uses port 443 alongside every other HTTPS request, making selective blocking far harder. For most personal use, DoH is the better choice. DoT has a place in enterprise environments where IT teams want to allow encrypted DNS while still monitoring it at the network edge.
If you want to see what your current DNS setup looks like from the outside, run our DNS Leak Test before and after you make changes.
How to Enable DoH on Every Platform
Google Chrome
- Open Chrome and go to Settings.
- Navigate to Privacy and security > Security.
- Scroll to Advanced and enable Use secure DNS.
- Select With: Customized and pick a provider (Cloudflare, Google, Quad9, NextDNS, or a custom URL).
Chrome ships with five DoH providers pre-configured. "With your current service provider" only works if your ISP or DNS resolver supports DoH and Chrome recognizes it.
Mozilla Firefox
- Open Settings and scroll to Privacy & Security.
- Under DNS over HTTPS, choose your protection level:
- Increased Protection: tries DoH first, falls back to system DNS if the DoH server is unreachable. Better for travel, where captive portals (hotel or airport login pages) need plain DNS to redirect you.
- Max Protection: all DNS queries must go through DoH. Shows an error page if the DoH resolver fails. Use this at home if you want the strongest guarantee.
- Select a provider from the dropdown.
Firefox was the first major browser to ship DoH and still offers the most granular control over protection levels.
Microsoft Edge
- Open Settings > Privacy, search, and services.
- Scroll to Security and enable Use secure DNS to specify how to look up the network address for websites.
- Choose a provider or enter a custom DoH URL.
Safari
Safari has no built-in DoH toggle. Configure it at the OS level using the macOS or iOS steps below.
Windows 11
- Open Settings > Network & internet.
- Click your active connection (Wi-Fi or Ethernet).
- Click Hardware Properties, then click Edit next to DNS server assignment.
- Switch to Manual, flip IPv4 on, and enter your DNS servers:
- Cloudflare: 1.1.1.1 (primary), 1.0.0.1 (secondary)
- Google: 8.8.8.8 (primary), 8.8.4.4 (secondary)
- Set DNS over HTTPS to On (automatic template).
- Click Save.
Note: simply entering the IP addresses without toggling the DoH switch sends those queries in plain text. The encrypted label only appears once you explicitly enable the DoH toggle.
macOS
macOS does not expose a DoH toggle in System Settings. Entering a DNS IP address under Network preferences sends queries unencrypted. For true system-wide DoH, you need to install a .mobileconfig configuration profile.
The easiest path: download a signed profile from your DNS provider (Cloudflare's setup page at one.one.one.one offers one) or use a community repository such as paulmillr/encrypted-dns on GitHub. After downloading, open it in Safari and go to System Settings > Privacy & Security > Profiles to install. The profile applies to all networks by default.
Android
Android 9 and later supports Private DNS using DNS over TLS system-wide:
- Open Settings > Network & internet > Private DNS.
- Select Private DNS provider hostname.
- Enter
one.one.one.one(Cloudflare) ordns.google(Google). - Tap Save.
In my testing, Android's "Strict Mode" Private DNS is reliable and covers all apps, not just the browser. Android 13 and later also adds DoH support in some configurations, but the DoT path via Private DNS remains the simpler, universally available option. Verify it worked by visiting 1.1.1.1/help after enabling, which shows whether DoT is active.
iOS and iPadOS
iOS 14 and later supports system-wide encrypted DNS via configuration profiles:
- Download a
.mobileconfigprofile from your DNS provider in Safari (Cloudflare's profile is available atone.one.one.one). - Go to Settings > General > VPN & Device Management.
- Tap the downloaded profile and follow the prompts to install it.
Once installed, the profile overrides per-network DNS settings across Wi-Fi and cellular, covering all apps without a VPN.
Linux (systemd)
For Ubuntu 22.04 and later, Fedora, and other systemd distributions, edit the resolver config:
sudo nano /etc/systemd/resolved.confAdd or modify:
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yesThen restart:
sudo systemctl restart systemd-resolvedThis enables DoT. For DoH specifically on Linux, a local proxy like cloudflared or dnscrypt-proxy is the more reliable path.
Choosing a DoH Provider
| Provider | Primary DNS | DoH URL | Notes |
|---|---|---|---|
| Cloudflare | 1.1.1.1 | cloudflare-dns.com/dns-query | Independently audited, fastest on most benchmarks |
| 8.8.8.8 | dns.google/dns-query | Source IPs anonymized after 24-48 hours | |
| Quad9 | 9.9.9.9 | dns.quad9.net/dns-query | Non-profit, no-logs, blocks known malicious domains |
| NextDNS | Custom | nextdns.io | Configurable ad blocking and logging |
| Mullvad | 194.242.2.2 | dns.mullvad.net/dns-query | No-logs, ad and tracker blocking |
My rule: use Cloudflare for most setups. Independent audits confirm they do not write querying IP addresses to disk alongside DNS queries, and source IPs are anonymized and deleted within 25 hours. On global benchmarks, 1.1.1.1 consistently posts median response times around 11-15 ms, ahead of most alternatives. If ad and tracker blocking at the DNS level matters to you, Quad9 or NextDNS are worth the slight setup overhead.
One honest caveat: all DoH providers do see your query content, even if they claim not to log it. DoH shifts trust from your ISP to your chosen resolver. Pick one whose privacy policy and audit history you find credible.
Verifying DoH Is Working
After enabling DoH, confirm it is actually running:
- Use our DNS Leak Test to check whether your queries are leaving through your chosen resolver or leaking to your ISP's servers.
- Visit
1.1.1.1/helpif using Cloudflare to confirm DoH or DoT is active. - Check Cloudflare's Encrypted SNI test page for a broader picture of your browser's security posture.
If the leak test still shows your ISP's nameservers, your browser's DoH setting may have defaulted back to system DNS, or a network policy is overriding it.
You can also inspect what DNS server your browser is resolving names against using the DNS Lookup tool, which can help you verify that responses are coming from the right resolver.
What DoH Does Not Fix
DoH is one layer, not a complete solution. It hides which domains you look up, but the DNS resolver you choose still sees every query. The website's IP address you connect to is also visible via SNI (Server Name Indication) in the TLS handshake, though Encrypted Client Hello (ECH) is reducing that exposure in modern browsers.
Websites also track you through cookies, browser fingerprinting, referrer headers, and login sessions. For a meaningful step up in overall privacy, pair DoH with a reputable VPN and check whether your browser is leaking more identifiers than you think via our Browser Fingerprint tool.
Enterprise IT teams should be aware that DoH bypasses network-level DNS monitoring. Organizations that rely on DNS for security filtering (malware detection, acceptable-use enforcement) typically configure browsers or endpoint policies to use their own internal DoH resolvers rather than public ones.
Frequently Asked Questions
Does DNS over HTTPS make me anonymous online?
No. DoH encrypts your DNS queries so your ISP and local network observers cannot see which domains you look up, but it does not hide your IP address, your browsing habits from the website itself, or your queries from the DoH resolver you use. It is a privacy improvement, not anonymity.
Will enabling DoH slow down my browsing?
The HTTPS connection to a DoH resolver adds a small amount of overhead on the first query, typically in the range of 10-50 milliseconds. After that, the connection is reused and subsequent queries are fast. In practice, most users do not notice any difference, and a fast resolver like Cloudflare can actually be quicker than a slow ISP resolver.
What is the difference between DoH and DoT?
Both encrypt DNS queries. DoH (DNS over HTTPS) sends queries over port 443, blending with normal web traffic and making it hard to block without blocking the entire web. DoT (DNS over TLS) uses a dedicated port 853, which is easier for network administrators to identify, manage, and selectively block. For home use, DoH is more practical. For enterprise environments where controlled, visible encrypted DNS is needed, DoT is often preferred.
Can my ISP still track me if I use DoH?
Your ISP can no longer read your DNS queries when DoH is active. However, they can still see the IP addresses you connect to and the timing of your traffic, which can infer browsing patterns. They also see your traffic before it reaches the DoH resolver. For more complete ISP privacy, a VPN encrypts your full traffic stream at the network level.
Does DoH work on mobile data (cellular)?
Yes. On Android, enabling Private DNS applies system-wide to both Wi-Fi and cellular connections. On iOS, an installed .mobileconfig profile also covers cellular. Browser-level DoH in Chrome or Firefox applies to that browser's DNS queries regardless of connection type.
How do I know if my DNS is leaking despite DoH being enabled?
Run our DNS Leak Test. If the result shows your ISP's DNS servers instead of Cloudflare, Google, or whichever resolver you configured, DoH is not active for that traffic. Common causes: the browser setting was not saved, the OS has a group policy overriding it, or you are on a network that intercepts port 443 traffic through a proxy. Check the DNS Lookup tool as a secondary confirmation to see which nameservers respond to a query.
Sources
WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.