DNS over HTTPS (DoH)

What Is DNS over HTTPS?

DNS over HTTPS (DoH) encrypts DNS queries by sending them over the HTTPS protocol (port 443). Traditional DNS sends queries in plain text over UDP port 53, which means anyone on the network path — ISPs, network administrators, attackers — can see which domains you're resolving.

Why DoH Matters

With traditional DNS:

Your Device → [Plain text: "What's the IP for example.com?"] → DNS Server

With DoH:

Your Device → [Encrypted HTTPS request] → DoH Server

DoH prevents DNS queries from being intercepted, modified, or logged by third parties.

DoH vs DoT

DNS over TLS (DoT) is an alternative encryption method that uses a dedicated port (853).

DoH is generally preferred for consumer privacy because it's indistinguishable from regular HTTPS traffic.

Enabling DoH

In Your Browser

Firefox: Settings → Privacy & Security → DNS over HTTPS → Enable

Chrome: Settings → Privacy and Security → Security → Use secure DNS

Edge: Settings → Privacy → Use secure DNS

Popular DoH Providers

On macOS / iOS

Apple supports encrypted DNS profiles. You can install a configuration profile from providers like Cloudflare's 1.1.1.1 app.

On Linux

# Using systemd-resolved (Ubuntu 22.04+)
sudo nano /etc/systemd/resolved.conf

# Add:
[Resolve]
DNS=1.1.1.1
DNSOverTLS=yes

Limitations

• DoH encrypts the DNS query but not the destination IP — your ISP can still see which servers you connect to
• Some corporate networks require DNS monitoring and may block DoH
• DoH doesn't protect against a compromised DNS resolver — choose a trusted provider