DNS Over HTTPS: How Encrypted DNS Protects Your Browsing

The Privacy Problem with Traditional DNS

Every time you visit a website, your device performs a DNS (Domain Name System) lookup to translate the human-readable domain name (like safetoolshub.com) into the IP address your browser needs to connect. Traditional DNS sends these queries in plain text over the network, completely unencrypted.

This means that your Internet Service Provider (ISP) can see every website you visit, even when you are using HTTPS to encrypt the actual page content. Network administrators, anyone on the same Wi-Fi network, and attackers performing man-in-the-middle attacks can also observe your DNS queries. Your ISP may log these queries, sell aggregated browsing data to advertisers, or be compelled to share it with government agencies.

Think of it this way: HTTPS encrypts the content of your web activity (like a sealed envelope), but traditional DNS reveals the addresses on the envelopes to everyone between you and the mail carrier. DNS over HTTPS seals those addresses too.

How DNS over HTTPS Works

DNS over HTTPS (DoH) encrypts DNS queries by wrapping them inside HTTPS connections, the same encryption protocol that protects your web browsing. Instead of sending a plain-text DNS query to your ISP's resolver on port 53, your device sends an encrypted HTTPS request to a DoH-compatible DNS resolver on port 443.

The resolver decrypts the query, performs the DNS lookup, and returns the encrypted response. Anyone monitoring the network between your device and the resolver sees only encrypted HTTPS traffic indistinguishable from normal web browsing. They cannot see which domain names you are looking up.

DoH provides confidentiality (preventing eavesdropping on your queries), integrity (preventing modification of DNS responses in transit), and authentication (verifying that the response comes from the legitimate resolver).

DoH vs. DoT: Two Approaches to DNS Encryption

DNS over TLS (DoT) is an alternative approach that also encrypts DNS queries but uses a dedicated port (853) and wraps queries in TLS rather than HTTPS. Both provide strong encryption, but they differ in practical ways.

DoH on port 443 is indistinguishable from regular HTTPS traffic, making it difficult for network administrators to block or filter. DoT on port 853 uses a distinct port that network administrators can easily identify and block. This difference makes DoH more resistant to censorship but harder for organizations to monitor for legitimate security purposes.

For individual users focused on privacy, DoH is generally the better choice because it blends with normal web traffic. For organizations that need visibility into DNS queries for security monitoring while still encrypting them against external eavesdroppers, DoT may be more appropriate.

Configuring DoH in Your Browser

Firefox

Firefox was the first major browser to support DoH and provides the most straightforward configuration. Open Settings, scroll to the bottom of the General section, and click Network Settings. Check the box for "Enable DNS over HTTPS" and select your preferred provider from the dropdown. Firefox uses Cloudflare by default but also offers NextDNS and allows custom resolver URLs.

Firefox also supports a "Max Protection" mode that refuses to fall back to traditional DNS if the DoH resolver is unreachable. This provides the strongest privacy guarantee but may cause connectivity issues on some networks.

Chrome and Edge

In Chrome, navigate to Settings, then Privacy and Security, then Security. Scroll to the Advanced section and enable "Use secure DNS." Select "With your current service provider" if your ISP supports DoH, or choose a custom provider like Cloudflare, Google, or Quad9.

Microsoft Edge uses the same setting path: Settings, then Privacy, Search, and Services, then Security, then "Use secure DNS."

Safari

Safari on macOS and iOS supports encrypted DNS through system-level configuration rather than browser settings. You can install DNS profile configurations from providers like Cloudflare (1.1.1.1 app) or NextDNS that route all DNS queries through encrypted connections system-wide.

Operating System Level Configuration

For comprehensive protection that covers all applications (not just your browser), configure DoH at the operating system level.

Windows 11

Windows 11 supports DoH natively. Open Settings, navigate to Network and Internet, then your active connection's properties. Under DNS server assignment, click Edit and select "DNS over HTTPS" for both the preferred and alternate DNS servers. Enter the IP addresses of your chosen DoH provider.

macOS

macOS supports encrypted DNS through configuration profiles. You can create a profile manually using Apple Configurator or install one from your DNS provider. Once installed, the profile routes all DNS queries through the encrypted resolver.

iOS and Android

Both mobile platforms support encrypted DNS. On iOS 14 and later, DNS configuration profiles work system-wide. On Android 9 and later, go to Settings, then Network and Internet, then Private DNS, and enter the hostname of your DoH provider (such as dns.cloudflare.com).

Comparing DNS Providers

Cloudflare (1.1.1.1) focuses on privacy and speed. They commit to not selling user data, purge query logs within 24 hours, and publish regular third-party audits of their privacy practices. Their network is among the fastest globally.

Google (8.8.8.8) offers reliable, high-performance DNS with DoH support. However, Google logs some query data and may use it in aggregate for service improvement. For users already deeply integrated with Google services, the marginal privacy impact may be minimal.

Quad9 (9.9.9.9) is operated by a nonprofit and focuses on both privacy and security. It blocks known malicious domains by default, adding a layer of threat protection to your DNS queries. Quad9 does not log personally identifiable information.

NextDNS offers a customizable DoH experience with configurable blocking lists, analytics, and per-device settings. It provides both a free tier with limited queries and a paid tier with unlimited queries.

Limitations to Understand

DoH encrypts the DNS lookup, but it does not hide your traffic from the DoH resolver itself. You are shifting trust from your ISP to the DoH provider. Choose a provider whose privacy practices you trust and verify.

DoH also does not encrypt the Server Name Indication (SNI) field in TLS connections, which still reveals the domain you are connecting to. Encrypted Client Hello (ECH) is an emerging standard that addresses this gap, and when combined with DoH, provides significantly more comprehensive privacy protection.

For users who want to verify their DNS configuration is working correctly, tools like our speed test can help confirm your connection is routing properly, while DNS leak test websites can verify that your queries are reaching the intended encrypted resolver.