What is the difference between DNS-over-HTTPS and DNS-over-TLS?

DNS-over-HTTPS (DoH) wraps DNS queries inside HTTPS connections on port 443, blending with regular web traffic. DNS-over-TLS (DoT) encrypts DNS on a dedicated port 853. DoH is harder to block because it looks like normal HTTPS traffic, while DoT is easier to identify and filter.

Can my employer see my DNS queries if I use DoH?

If you're on a corporate network, your employer may block DoH endpoints or require use of their own DNS resolvers. If DoH works, your DNS queries are encrypted, but network administrators may still monitor traffic patterns or block the connection entirely.

Securing Your DNS Queries: A Practical Guide to DNS-over-HTTPS

Q: Does DNS-over-HTTPS slow down my internet?

Generally no—major DoH providers run fast global networks that often outperform ISP DNS servers. The encryption overhead is negligible on modern devices. In practice, most users see similar or slightly faster resolution times.

This guide covers everything you need to know about encrypting your DNS traffic. You'll learn why unencrypted DNS queries expose your browsing habits, how DNS-over-HTTPS (DoH) works under the hood, and the exact steps to configure it across your devices—no advanced networking background required. By the end, your DNS requests will be invisible to your ISP and local network snoopers.

Why Does Unencrypted DNS Matter?

Every time you visit a website, your device sends a DNS query to translate that friendly domain name into an IP address. Here's the problem—those queries typically travel in plain text. Your Internet Service Provider can see every site you visit. The coffee shop Wi-Fi you're using? Same vulnerability. Anyone with basic packet-sniffing tools on your local network can build a detailed profile of your online activity just by watching DNS traffic.

The implications go beyond privacy. DNS manipulation—where ISPs or malicious actors redirect your requests to fake sites—becomes trivial when queries aren't encrypted. You've probably experienced "helpful" ISP search pages when you mistype a URL. That's DNS hijacking in action, and it's just the benign version. More sinister attacks use the same technique to steer users toward phishing sites that look identical to their banking or email providers.

Traditional DNS over port 53 has been the standard since the 1980s. It was designed for a different internet—one where encryption overhead mattered and threat models were simpler. Today's network environment demands better. DNS-over-HTTPS wraps those queries inside HTTPS connections, hiding them among all the other encrypted web traffic. To an observer, your DNS request to resolve "wiredworld.blog" looks identical to any other HTTPS connection.

How Does DNS-over-HTTPS Actually Work?

DoH sends DNS queries through standard HTTPS connections to compatible resolvers. Instead of asking your ISP's DNS server directly, your device establishes an encrypted tunnel to a DoH provider—Cloudflare, Google, Quad9, or others. The DNS query travels inside that encrypted tunnel, protected from eavesdropping and tampering.

The technical implementation is elegant in its simplicity. Your browser or operating system formats a standard DNS query, then wraps it in an HTTPS POST or GET request to the DoH resolver's endpoint. The resolver processes the query normally, encrypts the response, and sends it back. Your device receives the IP address it needs, and the entire exchange looks like regular web browsing to anyone monitoring the connection.

This differs from DNS-over-TLS (DoT), which encrypts DNS traffic on a dedicated port (853). DoH uses port 443—the same port as all HTTPS traffic. Network administrators can't easily block DoH without blocking most of the web. That's a feature for users in restrictive environments, though it creates headaches for corporate IT teams trying to monitor DNS for security purposes.

Performance concerns often come up here. Does encryption slow things down? Modern DoH implementations actually improve speed in many cases. Major providers run global anycast networks that resolve queries faster than typical ISP DNS servers. The encryption overhead is negligible on modern hardware. You're trading microseconds of processing for significant privacy gains.

What's the Best Way to Set Up DoH on Different Devices?

Configuration varies by platform, but most modern operating systems now support DoH natively or through simple application settings. Here's how to enable it across your devices.

Windows 11 Configuration

Microsoft added native DoH support in Windows 11 (and Windows 10 via updates). Navigate to Settings > Network & Internet > Advanced network settings > More network adapter options. Right-click your active connection, select Properties, then double-click "Internet Protocol Version 4 (TCP/IPv4)."

At the bottom of that window, you'll see DNS settings. Enable "Encrypted DNS (HTTPS)" and select your preferred provider from the dropdown—Cloudflare, Google, or Quad9 are the built-in options. If your preferred provider isn't listed, you can enter a custom DoH template URL. Click OK, and your DNS queries are now encrypted.

macOS Setup

Apple integrated DoH into macOS Monterey and later. Open System Settings > Network, select your active connection, then click Details. Navigate to the DNS section and click the plus button to add a new DNS server. macOS automatically detects DoH-capable servers—just enter the IP address of your chosen provider (1.1.1.1 for Cloudflare, 8.8.8.8 for Google, 9.9.9.9 for Quad9).

After adding the server, look for the "DNS over HTTPS" option in the same menu. Enable it and enter the provider's DoH endpoint URL. Apple maintains technical documentation on these configuration options for advanced setups.

Browser-Level Protection

Modern browsers offer DoH independent of your operating system—useful if you can't modify system DNS settings. In Firefox, open Settings > Privacy & Security, scroll to DNS over HTTPS, and select your provider. Chrome uses "Secure DNS" under Settings > Privacy and Security > Security. Edge follows a similar path.

Browser-level DoH only protects traffic from that specific browser. Other applications on your system still use unencrypted DNS. It's a good starting point, but system-level configuration provides comprehensive protection.

Mobile Devices

Android 9 and later supports "Private DNS" natively. Go to Settings > Network & Internet > Private DNS, select "Private DNS provider hostname," and enter your provider's hostname (one.one.one.one for Cloudflare, dns.google for Google). iOS configuration requires installing a profile or using a third-party app like the Cloudflare 1.1.1.1 app—Apple hasn't added native DoH controls yet.

Which DNS Provider Should You Trust?

Not all DoH resolvers are equal. Your DNS provider sees every domain you visit—even if your ISP doesn't. Choosing the right one matters.

Cloudflare (1.1.1.1) offers one of the fastest networks globally and commits to deleting all query logs within 24 hours. Their privacy policy explicitly states they don't sell data or use it for advertising. Independent audits verify these claims.

Google Public DNS (8.8.8.8) provides excellent performance and security filtering. However, Google already knows plenty about your online activity—adding DNS data to their profile raises obvious privacy concerns. They claim to not correlate DNS data with other services, but skeptics note the policy could change.

Quad9 (9.9.9.9) operates as a non-profit with a privacy-first mission. Based in Switzerland (with strong privacy laws), they don't log identifying data and partner with threat intelligence providers to block malicious domains at the DNS level. The trade-off is slightly slower performance compared to commercial providers.

Mullvad and ProtonVPN also offer DNS services for privacy-focused users. Some advanced users run their own DoH resolvers using software like AdGuard Home or Pi-hole with DoH forwarding—complete control, but requiring technical setup.

Are There Downsides to DNS-over-HTTPS?

DoH isn't perfect, and understanding the limitations helps you make informed decisions. The technology centralizes DNS resolution to a handful of large providers. Instead of thousands of ISPs handling DNS, most DoH traffic flows through Cloudflare, Google, and a few others. That's a concentration of power that concerns some internet governance advocates.

Corporate networks present another challenge. Many organizations use DNS filtering to block malicious sites and enforce security policies. DoH can bypass these controls if not properly managed. Some enterprise networks block known DoH endpoints for this reason. If you're on a work network, check with IT before enabling DoH—it could violate policy or break security features.

Split-horizon DNS (where internal company domains resolve differently than external ones) can break with DoH. Your device sends all queries to the external resolver, which doesn't know about your internal servers. Solutions exist—corporate DoH implementations with split-brain resolution—but they're complex.

Finally, DoH encrypts the query content but not the destination. Your ISP can still see which IP addresses you connect to, and reverse DNS lookups can often reveal the associated domain. DoH is one layer of privacy protection, not a complete solution. Pair it with a VPN for comprehensive traffic protection, or accept the limitations of encrypted DNS alone.