What Is DNS over HTTPS
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by wrapping them in HTTPS traffic. Instead of sending your DNS lookups as plaintext over the network — where anyone on the path can see which websites you are trying to visit — DoH sends those same queries inside an encrypted HTTPS connection to a resolver that supports it.
To understand why this matters, you need to know what happens when you type a URL into your browser. Before any page loads, your device has to ask a DNS server to translate the domain name (like example.com) into an IP address (like 93.184.216.34). That question and answer travel across your network in plain text by default. Your internet service provider, a network administrator, or anyone intercepting your traffic can read those DNS queries and build a detailed profile of your browsing habits.
DoH fixes this by sending the DNS query inside the same encrypted tunnel that protects your online banking or email. The query goes to port 443 — the standard HTTPS port — which means it looks exactly like any other secure web traffic. Your ISP can see that you are connecting to an IP address, but it cannot see which domain you asked about.
The IETF standardized DoH in RFC 8484 in 2018. Since then, adoption has grown steadily. Firefox became the first major browser to enable it by default in 2020. Chrome, Edge, Opera, and Brave followed. Most major public DNS resolvers — including Cloudflare, Google, Quad9, and NextDNS — now support DoH endpoints.
How DoH Works
The technical process is straightforward. When your browser needs to resolve a domain name, it constructs a standard DNS query in wire format — the same binary format DNS has used since the 1980s. But instead of sending that query over an unencrypted UDP connection to port 53, it wraps the query in an HTTPS POST request (or uses a GET request with the query base64url-encoded in the URL path) and sends it to a DoH server over TLS on port 443.
Here is the step-by-step flow:
1. DNS Query Construction
Your browser constructs a DNS query for the domain you want to visit. This is a binary message that includes the domain name, the record type (A for IPv4, AAAA for IPv6), and a transaction ID.
2. HTTPS Wrapping
Instead of sending this query as a standalone UDP packet, the browser places it inside an HTTPS request. The DoH standard defines two formats: a POST request where the raw DNS wire format goes in the body, and a GET request where the DNS wire format is base64url-encoded and appended to the URL path as a query parameter.
3. TLS Encryption
The HTTPS connection is protected by TLS — the same encryption that secures web browsing. This means the DNS query is encrypted in transit. No one between your device and the DoH server can read it. The TLS handshake also authenticates the DoH server, preventing man-in-the-middle attacks.
4. Response Delivery
The DoH server resolves the query using its upstream resolver infrastructure, then sends the DNS response back inside the same HTTPS connection. Your browser extracts the IP address from the response and connects to the website as normal.
The key insight is that DoH reuses infrastructure that already exists for web browsing. Every HTTPS website you visit goes through the same TLS encryption process. DoH simply applies that same encryption to DNS queries. There is no new cryptographic protocol to implement, no new key exchange to manage. It is DNS carried over a connection type that the internet already trusts.
One technical detail worth noting: DoH uses a persistent HTTPS connection. After the initial TLS handshake, subsequent DNS queries on the same connection skip the handshake entirely. This means the overhead of encryption drops significantly after the first query — typically to just a few bytes of additional framing per request.
DoH vs DoT vs DoQ
There are three main encrypted DNS protocols in active use. Each takes a different approach to encrypting DNS queries, and each has distinct tradeoffs in terms of performance, privacy, and manageability.
| Feature |
DoH (DNS over HTTPS) |
DoT (DNS over TLS) |
DoQ (DNS over QUIC) |
| Protocol |
HTTPS (HTTP/2 or HTTP/3) |
TLS 1.2+ |
QUIC (UDP-based) |
| Port |
443 |
853 |
784 |
| Encryption |
TLS 1.2 / 1.3 |
TLS 1.2 / 1.3 |
TLS 1.3 (built into QUIC) |
| Blends with web traffic |
Yes — looks like normal HTTPS |
No — uses a dedicated port |
No — uses a dedicated port |
| Firewall friendly |
Excellent — port 443 is rarely blocked |
Poor — port 853 is often blocked |
Moderate — port 784 may be blocked |
| Latency overhead |
Low (1-5 ms after handshake) |
Low (1-3 ms) |
Lowest (0-2 ms, 0-RTT available) |
| Browser support |
Native in all major browsers |
Not supported (OS-level only) |
Limited (growing) |
| OS support |
Android 9+, iOS 14+, Windows, macOS, Linux |
Android 9+, Linux, router firmware |
Android 14+, some Linux distros |
| Maturity |
Established (RFC 8484, 2018) |
Established (RFC 7858, 2016) |
Emerging (RFC 9250, 2022) |
DoH: The Privacy-First Choice
DoH's biggest advantage is that it uses port 443 — the same port as every HTTPS website. This means DNS queries sent over DoH are indistinguishable from normal web traffic. A network administrator or ISP cannot selectively block DoH without also blocking all HTTPS websites, which is effectively the entire modern internet. This makes DoH the most censorship-resistant encrypted DNS protocol.
The tradeoff is that DoH traffic must go through the same infrastructure as web traffic. Some enterprise firewalls perform deep packet inspection on HTTPS connections and could theoretically identify DoH traffic by its destination IP or SNI (Server Name Indication). In practice, this is rare because distinguishing DoH from regular HTTPS to the same resolver IP is extremely difficult.
DoT: The Network Administrator's Choice
DoT uses a dedicated port (853) for encrypted DNS traffic. This makes it easy for network administrators to identify, manage, and troubleshoot DNS traffic. You can see DoT connections in network logs, apply policies specifically to port 853, and separate DNS traffic from general web traffic for monitoring purposes.
The downside is obvious: any network that blocks port 853 blocks DoT entirely. Many corporate networks, public Wi-Fi hotspots, and some ISPs block port 853 specifically to prevent users from bypassing their DNS filtering. This makes DoT less useful in exactly the environments where encrypted DNS is most needed.
DoQ: The Fastest Option
DoQ uses QUIC — the same UDP-based transport protocol that powers HTTP/3. QUIC was designed from the ground up for low latency. It supports 0-RTT connection establishment, meaning the first DNS query on a new connection can be sent immediately without waiting for a handshake. This eliminates the latency penalty that DoH and DoT pay on cold connections.
DoQ is the newest protocol (standardized in RFC 9250 in 2022) and has the least adoption. It uses port 784, which is not as universally allowed as port 443. Browser support is limited, though Android 14 added native DoQ support. For most users today, DoH remains the practical choice, but DoQ is worth watching as adoption grows.
Privacy Benefits of DoH
The primary benefit of DoH is preventing unauthorized parties from reading your DNS queries. Without encryption, every DNS lookup you make is visible to your ISP, your network administrator, and anyone else positioned between your device and the DNS resolver. This data reveals which websites you visit, when you visit them, and how often.
What DoH Protects
DoH encrypts the DNS query itself — the domain name, record type, and transaction details. This means your ISP cannot log which domains you are resolving. A public Wi-Fi operator cannot build a profile of your browsing from DNS traffic. A government surveillance program that taps DNS traffic at the ISP level gets nothing useful. Your DNS queries are as encrypted as your online banking traffic.
DoH also prevents DNS manipulation. Some ISPs inject fake DNS responses to redirect users to advertising pages or censor specific websites. Because DoH uses TLS, the response is authenticated — your browser can verify that the response came from the legitimate resolver and was not tampered with in transit.
What DoH Does Not Protect
DoH encrypts DNS queries, but it does not encrypt your actual web traffic to the destination website (though HTTPS does that separately). Your ISP can still see the IP addresses you connect to. Even without reading your DNS queries, an ISP can correlate your IP connections with known server IPs to infer which websites you are visiting — though this is harder and less precise than reading DNS queries directly.
If you use a DoH resolver that logs queries (like Google's 8.8.8.8, which retains anonymized logs for 24-48 hours), the resolver operator itself can see your queries. The encryption protects your queries in transit, not at the endpoints. For maximum privacy, combine DoH with a resolver that has a strict no-log policy, such as Cloudflare 1.1.1.1 or Quad9.
DoH also does not protect against SNI-based surveillance. When your browser connects to a website over HTTPS, the server name is sent in the TLS ClientHello message in plaintext (unless the browser supports Encrypted Client Hello, which is still rolling out). This means an observer can see which website you are connecting to even if they cannot read the traffic. DoH solves the DNS visibility problem, not the full connection visibility problem.
Speed Implications
The short answer: DoH adds negligible overhead in real-world browsing. The longer answer depends on your connection type, the resolver you use, and how many DNS queries your browser makes per page load.
The TLS Handshake Cost
The main performance cost of DoH is the TLS handshake on the first connection. Establishing a TLS 1.3 connection requires a round trip to the DoH server (or zero round trips with TLS 1.3 0-RTT, which some resolvers support). This initial handshake adds roughly 10-20 milliseconds on a typical broadband connection. On a fast fiber connection, it can be under 5 milliseconds.
After the initial handshake, the HTTPS connection stays open. Subsequent DNS queries are sent over the existing connection with no additional handshake. The per-query overhead drops to the cost of framing the DNS wire format inside an HTTP request — typically 200-400 bytes of additional headers, which transit in under 1 millisecond on any modern connection.
Real-World Benchmarks
In testing, the difference between encrypted and unencrypted DNS resolution is consistently small. On a 100 Mbps broadband connection, plaintext DNS queries to a local resolver average 5-15 milliseconds. DoH queries to Cloudflare 1.1.1.1 average 12-25 milliseconds from the same connection. The delta is typically 5-10 milliseconds per query.
For a single page load that requires 20-40 DNS lookups (typical for a modern website with external scripts, fonts, and analytics), the total overhead of DoH compared to plaintext DNS is roughly 100-400 milliseconds. This is spread across the entire page load and is usually masked by the parallel nature of DNS prefetching — modern browsers resolve multiple domains simultaneously.
On mobile networks with higher base latency, the proportional overhead is smaller. A 4G connection with 50-millisecond base latency sees the same 5-10 millisecond DoH overhead, but it represents a smaller fraction of total connection time.
Connection Reuse Matters
The performance difference between DoH and DoT is minimal. Both use TLS 1.3 and both maintain persistent connections. The main performance distinction is on cold connections: DoH over HTTP/3 (which uses QUIC) can achieve 0-RTT, matching DoQ's performance. DoH over HTTP/2 requires a full round trip for the TLS handshake.
If you are choosing a DoH resolver for performance, the resolver's geographic proximity matters far more than the protocol overhead. A DoH connection to a resolver 5 milliseconds away adds far less latency than a DoH connection to a resolver 50 milliseconds away. Run our DNS speed test to find the fastest resolver for your location.
How to Enable DoH
Enabling DoH is straightforward in modern browsers and operating systems. The process varies by platform, but none of them require technical expertise.
Browser Settings
Google Chrome
Chrome enables DoH automatically if your current DNS provider supports it. To manually configure a DoH provider: open Settings, go to Privacy and Security, click Security, and under Advanced find Use secure DNS. Toggle it on and select a provider from the dropdown, or enter a custom DoH URL like https://cloudflare-dns.com/dns-query. Chrome will route all DNS queries through the selected DoH resolver.
Mozilla Firefox
Firefox was the first browser to enable DoH by default. To check or change the setting: open Settings, go to Privacy & Security, scroll to DNS over HTTPS, and select a provider. Firefox offers increased protection (DoH when your current DNS provider does not support it) and max protection (always use DoH regardless of your provider). You can also add a custom DoH URL.
Microsoft Edge
Edge uses the same Chromium DoH implementation as Chrome. Open Settings, go to Privacy, Search, and Services, scroll to Security, and enable Use secure DNS. Select a provider or enter a custom endpoint. Edge also supports automatic DoH when your ISP advertises it via the DNS-over-HTTPS bootstrap mechanism.
Operating System Settings
Windows 11
Windows 11 supports DoH at the system level. Open Settings, go to Network & Internet, select your connection (Wi-Fi or Ethernet), click Properties, then DNS server assignment and Edit. Select Manual, enable IPv4, and enter your preferred DNS server address (like 1.1.1.1). Then enable Encrypted only (DNS over HTTPS) from the dropdown and select the matching DoH template. Windows will apply DoH for all DNS queries system-wide.
macOS
macOS Ventura and later support DoH natively through the Network settings. Open System Settings, go to Network, select your connection, click Details, go to DNS, and add a manual DNS server. macOS will attempt DoH if the server supports it. For more control, use a dedicated DoH client like dnscrypt-proxy, or configure DoH in your browser and let it handle DNS resolution independently of the OS.
Android
Android 9 and later support Private DNS, which uses DNS over TLS (DoT) rather than DoH. Go to Settings, Network & Internet, Private DNS, and enter your resolver's hostname (like 1dot1dot1dot1.cloudflare-dns.com). For DoH specifically, use Chrome or Firefox with DoH enabled — these browsers handle DoH independently of the Android system DNS settings.
iOS
iOS 14 and later support DoH through configuration profiles or individual app settings. In Safari, DoH is handled through iCloud Private Relay if you have an iCloud+ subscription. For system-wide DoH, install a DoH configuration profile from your DNS provider or use the DNS Override app to apply DoH settings across all apps on your device.
DoH Support by DNS Providers
Most major public DNS resolvers now support DoH. Here is a breakdown of the major providers and their DoH endpoints:
| Provider |
DoH Endpoint |
Privacy Policy |
Features |
| Cloudflare 1.1.1.1 |
https://cloudflare-dns.com/dns-query |
No logs, KPMG audited annually |
Fastest global resolver, DNSSEC |
| Google Public DNS |
https://dns.google/dns-query |
Temporary logs (24-48h), anonymized |
High reliability, DNSSEC |
| Quad9 9.9.9.9 |
https://dns.quad9.net/dns-query |
No personal data logged |
Threat blocking, DNSSEC enforced |
| NextDNS |
https://firefox.dns.nextdns.io |
No logs by default |
Customizable filtering, analytics |
| AdGuard DNS |
https://dns.adguard.com/dns-query |
No logs |
Ad and tracker blocking |
| Mullvad DNS |
https://adblock.dns.mullvad.net/dns-query |
No logs |
Privacy-focused, optional blocking |
| OpenDNS |
https://doh.opendns.com/dns-query |
Anonymous stats only |
Content filtering, phishing protection |
All of these resolvers support DoH over HTTP/2. Cloudflare and Google also support DoH over HTTP/3, which uses QUIC for lower latency. If your browser supports HTTP/3 (Chrome, Firefox, and Edge all do), you will automatically use it when connecting to these resolvers.
When choosing a DoH provider, consider more than just speed. The resolver's privacy policy determines who can see your DNS queries after they are decrypted at the endpoint. A fast resolver that logs everything defeats the purpose of encrypting your queries in transit. For the best combination of speed and privacy, Cloudflare 1.1.1.1 or Quad9 are the strongest choices.
When DoH Might Not Be Right
DoH is not universally beneficial. There are legitimate scenarios where disabling DoH or using an alternative approach makes more sense.
Corporate and Managed Networks
Many corporate networks use DNS-based security filtering to block access to malicious websites, enforce acceptable use policies, and comply with regulatory requirements. When you enable DoH in your browser, your DNS queries bypass the corporate DNS resolver entirely. This means the company's security tools cannot inspect or filter your DNS traffic. In some organizations, this violates network security policies. If your employer provides managed devices with specific DNS configurations, respect those settings.
Parental Controls
Parents who use DNS-based content filtering to restrict adult content for children need those DNS queries to go through the filtering resolver. DoH in a child's browser bypasses those protections. On devices used by children, either disable DoH in the browser or use system-level DNS settings with DoT, which applies to all apps including browsers. You can also configure the router to force all DNS traffic through a filtering resolver regardless of what individual devices request.
Network Troubleshooting
When diagnosing network issues, being able to see and control DNS resolution is essential. DoH makes it harder to verify DNS resolution, test different resolvers, and debug connectivity problems. Network administrators troubleshooting DNS issues should temporarily disable DoH to get clean visibility into DNS behavior.
ISP-Level Content Delivery
Some ISPs use DNS-based load balancing to direct you to the closest CDN edge server. When you bypass your ISP's DNS with a third-party DoH resolver, you might get a DNS response that points to a more distant edge server, resulting in slower content delivery. This is less of a problem with major CDNs like Cloudflare and Akamai, which use anycast routing regardless of which DNS resolver you use, but it can matter with smaller or regional CDNs.
Related Reading
Want to learn more about how DNS works and how to optimize your setup? Check out these guides:
Test Your DNS Speed
Now that you understand DoH, find out which resolver actually performs best from your network. Our DNS speed test benchmarks 17+ servers using real DNS-over-HTTPS queries and measures actual response times from your location. The results will tell you whether switching to a different DoH resolver could improve your browsing speed.
Run DNS Speed Test
Frequently Asked Questions
Does DNS over HTTPS slow down my browsing?
DoH adds minimal overhead — typically 1-5 ms per query due to the TLS handshake. On the first connection, the handshake adds roughly 10-20 ms. Subsequent queries reuse the persistent HTTPS connection, so the overhead drops to near zero. In practice, the difference is unnoticeable during normal browsing.
Is DNS over HTTPS the same as a VPN?
No. A VPN encrypts all network traffic between your device and the VPN server. DoH only encrypts DNS queries — the actual web traffic to websites is not routed through the DoH resolver. DoH hides your DNS lookups from your ISP, but your ISP can still see which IP addresses you connect to.
Can my ISP see that I'm using DoH?
Your ISP can see that you are making HTTPS connections to a specific IP address (like 1.1.1.1 or 8.8.8.8), but it cannot see the contents of those connections or which domains you are resolving. Because DoH traffic looks identical to regular HTTPS web traffic, it is difficult for ISPs to distinguish DoH from normal browsing on port 443.
Which browsers support DNS over HTTPS?
Firefox, Chrome, Edge, Opera, Brave, and Safari all support DoH. Firefox was the first major browser to enable it by default in 2020. Chrome and Edge enable it automatically when your ISP supports it. Safari uses a different approach called iCloud Private Relay for supported users.
Does DoH work on mobile devices?
Yes. Both iOS and Android support DoH at the system level. Android 9 and later support DoH natively in network settings. iOS 14 and later support DoH through configuration profiles or individual apps. Chrome and Firefox on mobile also support DoH independently of the OS settings.
What is the difference between DoH, DoT, and DoQ?
DoH (DNS over HTTPS) wraps DNS queries in standard HTTPS traffic on port 443. DoT (DNS over TLS) encrypts DNS queries using TLS on port 853. DoQ (DNS over QUIC) uses the QUIC protocol on port 784 for the fastest performance. All three encrypt DNS queries, but DoH blends best with normal web traffic, DoT is easiest for network administrators to manage, and DoQ offers the lowest latency.