DNS Over HTTPS (DoH): What It Is and How to Enable It
Every time you visit a website, your device performs a DNS lookup, translating the human-readable domain name (like whatismylocation.org) into the numerical IP address that computers use to find each other. Traditionally, these lookups happen in plain text, meaning anyone who can observe your network traffic (your ISP, a hacker on public WiFi, or a government surveillance program) can see exactly which websites you're visiting, even if the websites themselves use HTTPS encryption.
DNS over HTTPS (DoH) solves this problem by encrypting your DNS queries inside the same HTTPS protocol that protects your web browsing. In this guide, we'll explain exactly how DoH works, why you should enable it, and how to set it up on every major platform.
How Traditional DNS Works (And Why It's a Problem)
To understand why DoH matters, you need to understand how traditional DNS works:
- You type "whatismylocation.org" into your browser
- Your device sends a DNS query to a DNS resolver (usually your ISP's)
- The resolver looks up the IP address and returns it
- Your browser connects to that IP address
The problem is in step 2. Traditional DNS queries use UDP port 53 and are sent as unencrypted plain text. This means:
- Your ISP sees every website you visit, even if you use HTTPS on those sites
- Anyone on your local network (especially on public WiFi) can intercept and read your DNS queries
- DNS queries can be tampered with through man-in-the-middle attacks, redirecting you to malicious sites
- Governments and organizations can easily monitor and censor internet usage by intercepting DNS
Think about it this way: HTTPS encrypts what you do on a website, but traditional DNS reveals which websites you visit. It's like putting a letter in a sealed envelope but writing the recipient's name on a public billboard.
What Is DNS Over HTTPS?
DNS over HTTPS (DoH) encrypts DNS queries by sending them through the HTTPS protocol (port 443), the same encryption used to protect online banking, shopping, and other sensitive web traffic.
How DoH changes the process:
- You type "whatismylocation.org" into your browser
- Your device encrypts the DNS query and sends it over HTTPS to a DoH-compatible resolver
- The resolver decrypts the query, looks up the IP address, and sends the encrypted response back
- Your browser connects to the website
From the outside, a DoH query looks identical to any other HTTPS traffic. An observer can see that you're communicating with the DNS resolver's IP address, but they cannot see what domain names you're looking up.
DoH vs DoT (DNS over TLS)
You may also encounter DNS over TLS (DoT), which is another method for encrypting DNS queries. Here's how they compare:
| Feature | DoH (DNS over HTTPS) | DoT (DNS over TLS) |
|---|---|---|
| Port | 443 (same as HTTPS) | 853 (dedicated) |
| Visibility | Blends with regular HTTPS traffic | Identifiable by port number |
| Blocking | Difficult to block without blocking all HTTPS | Easy to block by filtering port 853 |
| Browser support | Excellent | Limited |
| OS support | Growing | Good (Android, Linux) |
| Performance | Slightly more overhead | Slightly less overhead |
Which is better? For most users, DoH is the better choice because it's harder to block and has wider browser support. DoT is technically slightly more efficient but is easier for network administrators to identify and filter.
Why You Should Enable DoH
1. Prevent ISP Snooping
Your ISP can (and in many countries does) log every DNS query you make. In the United States, ISPs can legally sell your browsing data to advertisers. DoH prevents your ISP from seeing which specific websites you visit through DNS inspection.
2. Protect Against DNS Hijacking
Without encryption, attackers can intercept DNS queries and return fake responses, redirecting you to phishing sites or injecting malware. DoH makes this type of attack vastly more difficult.
3. Stay Safe on Public WiFi
Public WiFi networks are prime targets for DNS-based attacks. With DoH enabled, even if someone is monitoring the network, they cannot see or tamper with your DNS queries. This is especially important for activities like checking your IP address details or running an HTTP Headers check from untrusted networks.
4. Bypass DNS-Based Censorship
Some countries and organizations use DNS filtering to block access to certain websites. Since DoH traffic looks like regular HTTPS, it's much harder to selectively block.
5. Data Integrity
DoH ensures that DNS responses haven't been tampered with in transit. You get the authentic answer from your DNS resolver, not a modified version injected by a middleman.
How to Enable DoH on Every Platform
Google Chrome
- Open Chrome and go to Settings
- Navigate to Privacy and security > Security
- Scroll to Advanced
- Enable Use secure DNS
- Select With: Customized and choose a provider (Cloudflare, Google, or enter a custom URL)
Mozilla Firefox
- Open Firefox and go to Settings
- Scroll to Privacy & Security
- Under DNS over HTTPS, select Max Protection or Increased Protection
- Choose your preferred provider
Firefox was the first major browser to support DoH and offers the most granular control.
Microsoft Edge
- Open Edge and go to Settings
- Navigate to Privacy, search, and services
- Scroll to Security
- Enable Use secure DNS to specify how to lookup the network address for websites
- Select your preferred provider
Safari (macOS/iOS)
Safari does not have a built-in DoH toggle. Instead, you configure DoH at the operating system level (see macOS and iOS sections below) or use a DNS profile from providers like Cloudflare (1.1.1.1 app).
Windows 11
- Open Settings > Network & internet
- Click on your active connection (Wi-Fi or Ethernet)
- Click Edit next to DNS server assignment
- Switch to Manual
- Enter a DoH-compatible DNS server:
- Cloudflare: 1.1.1.1 (Primary), 1.0.0.1 (Secondary)
- Google: 8.8.8.8 (Primary), 8.8.4.4 (Secondary)
- Under DNS over HTTPS, select On (automatic template)
macOS
- Open System Settings > Network
- Select your active connection
- Click Details > DNS
- Remove existing DNS servers and add DoH-compatible ones (1.1.1.1 and 1.0.0.1)
- For full DoH, install a DNS profile from Cloudflare's 1.1.1.1 setup page or use the 1.1.1.1 app
Linux
For systemd-based distributions (Ubuntu 22.04+, Fedora, etc.):
sudo nano /etc/systemd/resolved.confAdd or modify:
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yesThen restart the resolver:
sudo systemctl restart systemd-resolvedNote: systemd-resolved natively supports DoT. For DoH specifically, you may need a local proxy like dnscrypt-proxy or cloudflared.
Android
Android 9+ supports DNS over TLS natively (which provides similar encryption):
- Open Settings > Network & internet > Private DNS
- Select Private DNS provider hostname
- Enter:
one.dot.one.one.one(Cloudflare) ordns.google(Google)
For DoH specifically, install the Cloudflare 1.1.1.1 app from the Play Store.
iOS / iPadOS
- Install the 1.1.1.1: Faster Internet app from the App Store
- Open the app and toggle the connection on
- Alternatively, install a DNS configuration profile from Cloudflare's website
Choosing a DoH Provider
| Provider | Primary DNS | DoH URL | Privacy Policy |
|---|---|---|---|
| Cloudflare | 1.1.1.1 | https://cloudflare-dns.com/dns-query | No-logs, audited annually |
| 8.8.8.8 | https://dns.google/dns-query | Logs anonymized after 24-48h | |
| Quad9 | 9.9.9.9 | https://dns.quad9.net/dns-query | Non-profit, no-logs, threat blocking |
| NextDNS | Custom | Custom | Configurable logging, ad blocking |
| Mullvad | 194.242.2.2 | https://dns.mullvad.net/dns-query | No-logs, ad/tracker blocking |
Our recommendation: Cloudflare (1.1.1.1) offers the best combination of speed, privacy, and reliability. Their DNS resolver is independently audited to verify their no-logs claim, and they consistently rank among the fastest DNS resolvers globally.
Verifying DoH Is Working
After enabling DoH, verify it's actually working:
- Visit Cloudflare's browsing experience check to test if your DNS queries are encrypted
- Use our HTTP Headers tool to inspect your connection details
- Check the 1.1.1.1 help page if using Cloudflare to confirm DoH is active
Potential Downsides and Considerations
Centralization concerns: DoH concentrates DNS resolution among a few large providers (Cloudflare, Google, etc.) instead of distributing it across many ISP resolvers. This gives those providers significant visibility into global browsing patterns, even if they claim not to log.
Enterprise network management: IT administrators may need to monitor DNS for security purposes (detecting malware, enforcing acceptable use policies). DoH can bypass network-level DNS controls, which is why some organizations disable it.
Slightly increased latency: The HTTPS handshake adds a small amount of latency to the first query. In practice, this is usually 10-50 milliseconds and is negligible for normal browsing. Subsequent queries reuse the connection and are very fast.
Not a complete privacy solution: DoH encrypts DNS, but websites can still track you via cookies, fingerprinting, and other methods. For comprehensive privacy, combine DoH with a VPN and privacy-focused browser settings.
Key Takeaways
- Traditional DNS queries are sent in plain text, exposing every website you visit
- DNS over HTTPS encrypts those queries, preventing snooping by ISPs, hackers, and censors
- Every major browser and operating system now supports DoH or DoT
- Cloudflare (1.1.1.1) is the recommended provider for most users
- DoH is one layer of privacy, not a complete solution; pair it with a VPN for maximum protection
Related Articles:
Want the full interactive guide?
What Is DNS? Interactive Guide →WhatIsMyLocation Team
Our team of network engineers and web developers builds and maintains 25+ free networking and location tools used by thousands of users every month. Every article is reviewed for technical accuracy using real-world testing with our own tools.
Related Articles
Try Our Location Tools
Find your IP address, GPS coordinates, and more with our free tools.